Re: access-list implementation

a.seetharaman · ‎06-17-2007

Hi,

I need to implement an access-list

1 to allow ftp access to a client machine

2 block all incoming and outgoing traffic to and from the LAN

for example ip 172.9.2.2 of vlan 1 needs to have access to ip 192.168.2.2 of vlan 2. Block all other traffic. Access-list needs to be implemented on vlan2

Anand Narayana · ‎06-18-2007

Hi Seetharaman,

the command for your setup is....

access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any

Assuming 192.168.2.2 is the ftp server where only 172.9.2.2 should access the ftp service.

a.seetharaman · ‎06-18-2007

Hi Anandanarayan

yes 192.168.2.2 is ftp server. Also 192.168.2.2 should not be allowed access any resource of any other systems of vlan 1.

kindly let me know the access-group should be bound as in or out in vlan 2 interface.

Anand Narayana · ‎06-18-2007

Hi Seetharaman,

on vlan 2 interface the be "in"

ie.

interface vlan 2

ip address x.x.x.x x.x.x.x

ip access-group 101 in

with the previously mentioned command in my earlier post, vlan 2 will not be accessible by any other vlans. including vlan 1.

a.seetharaman · ‎06-18-2007

Dear Ananda narayan

Its not happening. I opened both 20 and 21 port

Anand Narayana · ‎06-19-2007

Hi Seetharaman,

can i know what command you have issued? juz paste the configuration.

acomiskey · ‎06-19-2007

How you have the acl written, it should be applied into vlan 1. You need to look at it as the acl being applied into the interface which is a member of vlan 1, since the source in your acl is a vlan 1 address. Being applied into vlan 2 will have no effect as a 172. address will never be the source going "into" a vlan 2 port. The other alternative would be to apply the acl as "out" of vlan 2.

access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any

int vlan 1

ip access-group 101 in