Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
5
Helpful
2
Replies

Simple Access List Help

jfraasch
Level 3
Level 3

‎06-14-2010 05:09 PM - edited ‎03-06-2019 11:34 AM

I have a 3750 switch where I am going to plug in a new connection on port g1/0/45.  This connection will connect to another network that I only semi-trust so I need to restrict access.

On that port I will configure an ip of 10.112.50.22/24.  This will connect to someone else's switch that holds the 10.112.50.0/24 network. 

I have servers connected to my switch that this network needs access to.

Namely I need to allow hosts 10.112.50.8, 10.150.12.2, 10.151.12.2 access to my servers at 192.168.60.35 and 192.168.60.36.  These servers are connected in VLAN1 on my switch.


I don't want them to have access to anything but those two servers.  I don't need to filter by port, pure IP connectivity is fine for this.

Since I am 6000 miles away from my lab I dont have access to a live 3750.  If memory serves, this is what I need to do:


Int g1/0/45 ip address 10.150.112.21/24
IP Access list 200  in

IP Access list 200
Permit ip host 10.150.12.8 host 192.168.60.36
Permit ip host 10.150.12.8 host 192.168.60.35
Permit ip host 10.150.12.2 host 192.168.60.36
Permit ip host 10.150.12.2 host 192.168.60.35
Permit ip host 10.151.12.2 host 192.168.60.36
Permit ip host 10.151.12.2 host 192.168.60.35

I have a change window tonight and need to confirm that this is the way to do it.


Thanks.


James

Labels:
0 Helpful
2 Replies 2

TODD RIEMENSCHNEIDER
Level 1
Level 1

‎06-14-2010 05:33 PM

James,

your syntax was a little off.

ip access-list extended

Permit ip host 10.150.12.8 host 192.168.60.36
Permit ip host  10.150.12.8 host 192.168.60.35
Permit ip host 10.150.12.2 host  192.168.60.36
Permit ip host 10.150.12.2 host 192.168.60.35
Permit  ip host 10.151.12.2 host 192.168.60.36
Permit ip host 10.151.12.2  host 192.168.60.35

to apply to the interface

int gi1/0/45

ip access-group in


end

HTH

-Todd

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎06-15-2010 07:59 AM 

I have a 3750 switch where I am
going to plug in a new connection on port g1/0/45.  This connection
will connect to another network that I only semi-trust so I need to
restrict access.
On
that port I will configure an ip of 10.112.50.22/24.  This will connect
to someone else's switch that holds the 10.112.50.0/24 network.  
I have servers connected to my switch that this network needs access to.
Namely
I need to allow hosts 10.112.50.8, 10.150.12.2, 10.151.12.2 access to
my servers at 192.168.60.35 and 192.168.60.36.  These servers are
connected in VLAN1 on my switch.

I don't want them to have
access to anything but those two servers.  I don't need to filter by
port, pure IP connectivity is fine for this.
Since I am 6000 miles away from my lab I dont have access to a live 3750.  If memory serves, this is what I need to do:

Int g1/0/45 ip address 10.150.112.21/24
IP Access list 200  in
IP Access list 200
Permit ip host 10.150.12.8 host 192.168.60.36
Permit ip host 10.150.12.8 host 192.168.60.35
Permit ip host 10.150.12.2 host 192.168.60.36
Permit ip host 10.150.12.2 host 192.168.60.35
Permit ip host 10.151.12.2 host 192.168.60.36
Permit ip host 10.151.12.2 host 192.168.60.35
I have a change window tonight and need to confirm that this is the way to do it.

Thanks.

James

Hi James,

Thumb rule to apply acl is to close to host and as your configuration is ok

IP Access list 200

Permit ip host 10.150.12.8 host 192.168.60.36

Permit ip host 10.150.12.8 host 192.168.60.35

Permit ip host 10.150.12.2 host 192.168.60.36

Permit ip host 10.150.12.2 host 192.168.60.35

Permit ip host 10.151.12.2 host 192.168.60.36

Permit ip host 10.151.12.2 host 192.168.60.35

interface g1/0/45
ip access-group 200 in

The direction specifies the flow of the packet and to apply the acl in direction on interfaces.

In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.

Out—Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card