cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
5
Replies

How to allow ACL one way only on Catalyst 9500

Mahmoud Marie
Level 1
Level 1

Hello,

we have HR in vlan 50 ip range 10.50.50.0/24 and IT in vlan 30 ip range 10.30.30.0/24 at the same layer 3 switch. (C9500)

I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.

Your help is appreciated.

Thanks,

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

how about example like below :

SWITCH(config)#access-list 100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255
SWITCH(config)#access-list 100 permit ip any any
SWITCH(config)#int vlan 50
SWITCH(config-if)#ip access-group 100 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello Balaji,

Thank you for your replay

Can I used it with extended ACL as we use it as the below:

#ip access-list extended IT (config)

#100 deny ip 10.50.50.0 0.0.0.255 10.30.30.0 0.0.0.255

#500 permit ip any any 

so can I allow the connection from IT to HR only 

Thanks

 

Sure you can use depends on your convenience to use.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

 

That won't work because that acl will also block return traffic from HR to IT because acls are not stateful. 

As MHM says you need reflexive acls or a firewall to make that work. 

If it is just TCP connections you could also look at the "established" keyword. 

Jon

""I need to let the IT only can connect to HR from Vlan 30 to Vlan 50. and HR blocked to connect to IT.""
that from my view can not except the case reflexive-ACL 
https://networklessons.com/cisco/ccie-routing-switching/reflexive-access-list

Review Cisco Networking for a $25 gift card