Re: How to allow ACL one way only on Catalyst 9500

Mahmoud Marie · ‎10-24-2022

Hello,

we have HR in vlan 50 ip range 10.50.50.0/24 and IT in vlan 30 ip range 10.30.30.0/24 at the same layer 3 switch. (C9500)

I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.

Your help is appreciated.

Thanks,

balaji.bandi · ‎10-24-2022

how about example like below :

SWITCH(config)#access-list 100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255
SWITCH(config)#access-list 100 permit ip any any
SWITCH(config)#int vlan 50
SWITCH(config-if)#ip access-group 100 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mahmoud Marie · ‎10-25-2022

Hello Balaji,

Thank you for your replay

Can I used it with extended ACL as we use it as the below:

#ip access-list extended IT (config)

#100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255

#500 permit ip any any

so can I allow the connection from IT to HR only

Thanks

balaji.bandi · ‎10-26-2022

Sure you can use depends on your convenience to use.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jon Marshall · ‎10-26-2022

That won't work because that acl will also block return traffic from HR to IT because acls are not stateful.

As MHM says you need reflexive acls or a firewall to make that work.

If it is just TCP connections you could also look at the "established" keyword.

Jon

MHM Cisco World · ‎10-26-2022

""I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.""
that from my view can not except the case reflexive-ACL
https://networklessons.com/cisco/ccie-routing-switching/reflexive-access-list