12-11-2010 03:51 PM - edited 03-04-2019 10:45 AM
I have a 3750-X and I am trying to apply a port ACL to protect a server.
Port 17 has a server plugged into it that I am trying to protect and allow only two hosts to communicate with it. So I do the following:
access-list 17 permit xxx.xxx.xxx.1
access-list 17 permit xxx.xxx.xxx.2
Interface Gi1/0/17
- ip access-group 17 in
This kills all communication with the server from any host. What am I doing wrong here?
Thanks
12-11-2010 04:12 PM
Access-list 17 is a standard acl. It matches on source adresses.
Because it is applied to the port where the server is on, traffic is matched in the wrong direction.
You should change it to an extended acl (i.e. 117) and match source and destinations as desired.
regards,
Leo
12-12-2010 12:07 AM
change the direction,
ip access-group 17 out
12-12-2010 06:10 AM
I have a 3750-X and I am trying to apply a port ACL to protect a server.
Port 17 has a server plugged into it that I am trying to protect and allow only two hosts to communicate with it. So I do the following:
access-list 17 permit xxx.xxx.xxx.1
access-list 17 permit xxx.xxx.xxx.2
Interface Gi1/0/17
- ip access-group 17 in
This kills all communication with the server from any host. What am I doing wrong here?
Thanks
Hi,
check out the below link for configuring port based acl in switches
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.pdf
If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or specfic host
if you apply an ACL on the 'in' direction, the source must be within the vlan subnet while the destination can be anything.
So apply acl in out direction with extended acl.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide