Solved: access list in switch

vishalpatil86 · ‎07-18-2011

hi,

i have created two access lists, 111 and 121 which has been applied to interface vlan 10 111 out and 121 in

acl contains only permit satatements. i didn't permit ftp traffic, but it is allowing the traffic.

acc to my knowledge, packet flows from top to down in access list, if it doesn't find any match, it will drop the packet.

but here, it is not dropping the packet.

any suggestions???

Latchum Naidu · ‎07-18-2011

Hi Vishal,

I thought the same as Rick said, that if my solutions doesn't solve your current issue then ask you to provide the interface and access-list configuration.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-19-2011

Hi Vishal,

I would request you to keep apply access-list 111 in under vlan 10. This will deffnitely solve your problem.

access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 5813
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 25
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 80
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 53
access-list 111 permit udp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 53
access-list 111 permit tcp 10.5.5.189 0.0.0.127 172.16.0.0 0.0.0.255 eq 2463

interface vlan 10
ip access-group 111 in

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-19-2011

Hi,

as per your previous post you have applied two access-groups (in and out) then I said only keep single access-group as in.

Ok, still you can do one thing...
add the below statement at at last.

access-list 111 deny any any

OR you can restrict the ftp access from source to destination like below...

access-list 111 deny tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq ftp

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-20-2011

Hi Vishal,

Previously we used to limited to using numbers. that is access-list 10 permit....
The latter allows you to use named ACL. ie 'ip access-list extended MYACL'

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-18-2011

Hi Vishal,

If your rules like ip to ip which mean everything is allowed like below.

access-list 100 permit ip 192.168.102.0 0.0.0.255 10.250.20.0 0.0.0.255

In your case if you want block the ftp then write tule like below.

access-list 100 deny tcp 192.168.102.0 0.0.0.255 10.250.20.0 0.0.0.255 eq 21

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Richard Burts · ‎07-18-2011

If the response from Naidu does not completely answer the issue for Vishal then he should post the interface configuration and the access list configuration.

HTH

Rick

HTH

Rick

Latchum Naidu · ‎07-18-2011

Hi Vishal,

I thought the same as Rick said, that if my solutions doesn't solve your current issue then ask you to provide the interface and access-list configuration.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

vishalpatil86 · ‎07-19-2011

hi,

here is the access list i have created -

access-list 111 permit icmp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127

access-list 111 permit tcp 10.5.5.128 0.0.0.127 eq 25 10.5.5.0 0.0.0.127

access-list 111 permit tcp 10.5.5.128 0.0.0.127 eq 80 10.5.5.0 0.0.0.127

access-list 111 permit tcp 10.5.5.128 0.0.0.127 eq 53 10.5.5.0 0.0.0.127

access-list 111 permit udp 10.5.5.128 0.0.0.127 eq 53 10.5.5.0 0.0.0.127

access-list 121 permit tcp 10.5.5.189 0.0.0.127 172.16.0.0 0.0.0.255 eq 2463

interface vlan 10

ip access-group 111 out

ip access-goup 121 in

Latchum Naidu · ‎07-19-2011

Hi Vishal,

I would request you to keep apply access-list 111 in under vlan 10. This will deffnitely solve your problem.

access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 5813
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 25
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 80
access-list 111 permit tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 53
access-list 111 permit udp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq 53
access-list 111 permit tcp 10.5.5.189 0.0.0.127 172.16.0.0 0.0.0.255 eq 2463

interface vlan 10
ip access-group 111 in

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

vishalpatil86 · ‎07-19-2011

dats what i did, i have applied it to interface vlan 10. never mentioned here.

Latchum Naidu · ‎07-19-2011

Hi,

as per your previous post you have applied two access-groups (in and out) then I said only keep single access-group as in.

Ok, still you can do one thing...
add the below statement at at last.

access-list 111 deny any any

OR you can restrict the ftp access from source to destination like below...

access-list 111 deny tcp 10.5.5.128 0.0.0.127 10.5.5.0 0.0.0.127 eq ftp

Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 · ‎07-20-2011

ok, i will do that and let u know

i have one more doubt. what is the difference between access list and ip access list?

Latchum Naidu · ‎07-20-2011

Hi Vishal,

Previously we used to limited to using numbers. that is access-list 10 permit....
The latter allows you to use named ACL. ie 'ip access-list extended MYACL'

Please rate the helpfull posts.
Regards,
Naidu.

vishalpatil86 · ‎07-20-2011

thank you