Solved: Easy question for access-list configuration

Paolo Fenili · ‎01-12-2018

Dear all,

I am a newbie in the Cisco's world and I've encountered a problem.

In our company there are several different VLANs, one of which, for example the VLAN 1 (192.168.1.0), allows wireless devices to access only some local Virtual machine's IP addresses.

The problem is that I have changed these VM's IPs and consequently the connected wireless devices cannot find the VMs.

So i logged into my Core Switch and i gave "show access-list"on the cli with the following results:

Extended IP access list vlan1-to-vlanX

- 10 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.3

- 20 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.4

...and so on up to

- 80 deny ip any any (39 matches)

To solve the problem and modify the destination IP addresses I thought to give these commands:

--------------------------------------------

"conf t"

"no 10 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.3"

"^Z"

"conf t"

"10 permit ip 192.168.1.0 0.0.0.255 host 192.168.X.X"

----------------------------------------------

is that right?

Thank you very much in advance for your cooperation

paul driver · ‎01-12-2018

Hello

Your nearly correct , just a slight change

sh ip access-list vlan1-to-vlan

conf t
ip access-list extended vlan1-to-vlan

no 10

10 permit ip 192.168.1.0 0.0.0.255 host 192.168.X.X
exit

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

mateens · ‎01-12-2018

I am not an expert at this but i would do like this...

en

conf t

-Enter the specific access-list as there can be many configured i.e

Extended IP access list vlan1-to-vlanX

-Delete the unwanted acl i.e

no 10 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.3

-verify with show command that the acl is deleted.

Then you can add your new permit entry.

Tip: Use a destination subnet address if you can instead of mentioning individual IP addresses.

google subnet-calculator and use it...

Paolo Fenili · ‎01-12-2018

Thank you for your answer @mateens

However when I apply that, it returns the following error:

en
conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sc1(config)#Extended IP access list vlan1-to-vlanX
             ^
% Invalid input detected at '^' marker.

if i give this directly, it returns this error:

sc1(config)#no 10 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.3
               ^ 
% Invalid input detected at '^' marker.

paul driver · ‎01-12-2018