Solved: Cisco 4507-R switch ACL between VLAN failed

mrxlast · ‎03-06-2019

Hi there.

Need your expertise on this.

I've tried several ways to make an ACL on the cisco 4507r switch but it seems failed.

The situation is like this.

My pc is on VLAN 9 while i got an oracle server on VLAN 10 that use port 1521. For starters, i want to make a test to deny my ip address to access that particular server and my command are as below

deny tcp 192.200.9.126 0.0.0.255 192.200.10.14 0.0.0.255 eq 1521

but it's failed to do so. I still can connect to the server where the application/software can access to that particular server.

Is there any other way to do it?

paul driver · ‎03-07-2019

Hello

No you do not have to apply the acl to the access port only to the svi of the vlan

access-list 100 deny tcp host 192.200.9.126 host 192.200.10.14 eq 1521

access-list 100 permit ip any any

int vlan 10

ip access-group 100 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

luis_cordova · ‎03-06-2019

Hi @mrxlast ,

Try this acl to block your IP:

deny tcp host 192.200.9.126 host 192.200.10.14 eq 1521

permit ip any any

Remember that you must apply the ACL in the interface that will route that traffic

Query: do you know the use of port 1521?

https://www.speedguide.net/port.php?port=1521

Regards

mrxlast · ‎03-06-2019

Hi @luis_cordova ,

I'm aware about the port and I want to control the numbers of connection that connect to the server.

"Remember that you must apply the ACL in the interface that will route that traffic"

Does this means I have to configure it at the interface that connected with the server?

paul driver · ‎03-07-2019

Hello

No you do not have to apply the acl to the access port only to the svi of the vlan

access-list 100 deny tcp host 192.200.9.126 host 192.200.10.14 eq 1521

access-list 100 permit ip any any

int vlan 10

ip access-group 100 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

luis_cordova · ‎03-07-2019

Hi @mrxlast ,

In your case, the acl can be applied in the SVI associated with vlan 9, since the SVI in your switch is responsible for routing the traffic of that vlan.

For example, if your ACL has the number 101

S(config)#interface vlan 9

S(config-if)# ip access-group 101 in

Regards

Richard Burts · ‎03-07-2019

While we are discussing aspects of access lists, such as do you assign the acl on an interface near the destination or near the source, we might also want to clarify that the acl is assigned as "in" or "out". This is from the perspective of the switch interface, so in is from the connected hosts coming into the switch interface and out is from the switch interface out to the connected hosts.

HTH

Rick

HTH

Rick