Solved: ACL on Cisco 6509 core switch

trixterd · ‎02-02-2018

This might be a pretty simple to answer question and am hoping that it is. I have a current ACL in place for my wireless guest network that looks like the following:

ip access-list extended wireless-guest
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
deny ip any xxx.xx.0.0 0.0.255.255 (masked for privacy)
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

As you can see we are allowing access to all but the two specified subnets. However I have four addresses in the 1st subnet that require web access. What is the approach to grant access to those hosts? If i create a permit statement it seems to be trumped by the deny statement and I do not achieve access to the clients. Am i having to create deny ranges around the specified hosts? Thank you in advance

Jon Marshall · ‎02-02-2018

Not really sure what you are asking.

If you want to allow traffic to certain clients within a subnet but block all other traffic to that subnet then just add the permit statements before the deny statements as acls are processed in order from the top.

If you want to discuss specifics then perhaps provide more detail ie. IPs and direction of acl etc.

Jon

View solution in original post

Jon Marshall · ‎02-02-2018

Not really sure what you are asking.

If you want to allow traffic to certain clients within a subnet but block all other traffic to that subnet then just add the permit statements before the deny statements as acls are processed in order from the top.

If you want to discuss specifics then perhaps provide more detail ie. IPs and direction of acl etc.

Jon

trixterd · ‎02-02-2018

A little haste on my part, the rules were in deed out of order. Placed in the proper order permit => Deny and everything works as planned. Thank you Jon