Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
10
Helpful
7
Replies

IP Access List Question

jfraasch
Level 3
Level 3

‎08-12-2009 05:25 AM - edited ‎03-06-2019 07:12 AM

Not an access list guy. Never had to do much of it...until today.

I hae a 3750 switch. Ports 1-4 are VLAN100 the rest are VLAN 1. I have a host 10.10.10.10 that needs to talk to the NTP server plugged into port 4 at 10.100.100.100. I don't want that host to talk to anyone else on that network.

I was just going to go to config mode and do an ip access-list 101 10.10.10.10 0.0.0.0 10.100.100.100 0.0.0.0 and thats it.

Anything better than that?

James

Labels:
0 Helpful
7 Replies 7

jfraasch
Level 3
Level 3

‎08-12-2009 05:33 AM

One other quick question. On the 3750s, are the ports switchports by default? Or do I need to enter the command "switchport" on all interfaces to make them switchports?

Thanks again.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎08-12-2009 05:45 AM

That would block everyone else too! Try something like-

ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip host 10.10.10.10 any

permit ip any any

Hope that helps.

0 Helpful

jfraasch
Level 3
Level 3
In response to Collin Clark

‎08-12-2009 06:52 AM

I do want to block everyone else. Sorry I wasn't clear about that.

No other host on the 10.10.10 network should be able to go to VLAN 100.

James

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to jfraasch

‎08-12-2009 06:55 AM

Your more permissive statements should be at the top and then restrict down.

ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip 10.10.10.0 0.0.0.255 any

Jon Marshall
Hall of Fame
Hall of Fame

‎08-12-2009 05:46 AM

James

access-list 101 permit udp host 10.10.10.10 host 10.100.100.100 eq 123

access-list 101 deny ip host 10.10.10.10 10.100.100.0 0.0.0.255

access-list 101 permit ip any any

int vlan 1

ip access-group 101 in

the above will acl will -

1) allow 10.10.10.10 to use NTP with 10.100.100.100

2) stop all other traffic from 10.10.10.10 to any device on 10.100.100.0/24 network

3) allow all other traffic from either 10.10.10.10 to any other device ie. not a device on vlan 100

4) allow all traffic from every other device on 10.10.10.x network to any other device including all devices on vlan 100

Yes, by default ports are switchports.

Jon

jfraasch
Level 3
Level 3
In response to Jon Marshall

‎08-12-2009 06:50 AM

If I wanted all other hosts to be blocked from the 10.100.100.x network I would just not add the permit ip any any command, correct?

Also, you are simply locking the host access to the server down to the NTP protocol port. The way I had it would have allowed any type of connection between the devices.

Cool. That makes sense. Thanks.

Oh, I then have to apply the access list to VLAN 1. Forgot about that.

James

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to jfraasch

‎08-12-2009 07:24 AM

Yes, and you'd apply it in the INBOUND direction.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card