07-27-2021 03:36 AM
Hi,
I want to create a rule for a specific port on a 3650. I want to allow all traffic within a VLAN (lets assume VLAN 10, ip address 192.168.178.254 255.255.255.0) expect for one host (lets assume ip adresse 192.168.178.100).
This IP adress should only be allowed to talk to one other IP address (lets assume 192.168.178.1).
I can assure this PC will always be connected to the same gigabit ethernet interface. (through physical access limitation to the switch)
would these commands be correct?
en
#conf t
#access list 10 deny ip any any
#access list 10 permit 192.168.178.100 0.0.0.255 192.168.178.1
#(config) interface GigabitEthernet1/0/1
#(config-if) description restricted pc
#(config-if) switchport access vlan 10
#(config-if) switchport mode access
#(config-if) ip access group 10 out
#(config-if) ip access group 10 in
greetings
Jan
Solved! Go to Solution.
07-27-2021 05:47 AM - edited 07-27-2021 05:47 AM
Hello
If you want that that port to allow any host with an ip of 192.168.178.100 to commincate host 192.168.178.1 then a port ACL (PACL) would be applicable, you would just require a permit ace statment for it
example:
access list 100 permit ip host 192.168.178.100 host 192.168.178.1
interface GigabitEthernet1/0/1
ip access group 100 in
07-27-2021 04:30 AM
Look at VLANACL - is this what you looking i guess :
http://www.thepacketwizard.com/blog/2018/09/21/cisco-switch-vlan-acls-vacl/
07-27-2021 05:47 AM - edited 07-27-2021 05:47 AM
Hello
If you want that that port to allow any host with an ip of 192.168.178.100 to commincate host 192.168.178.1 then a port ACL (PACL) would be applicable, you would just require a permit ace statment for it
example:
access list 100 permit ip host 192.168.178.100 host 192.168.178.1
interface GigabitEthernet1/0/1
ip access group 100 in
07-27-2021 05:56 AM
If I got your question right, the following should work
(host 192.168.178.100 is connected to Gi1/0/1 an can only talk to host 192.168.178.1)
en
conf t
ip access-list extended 100
permit ip host 192.168.178.100 host 192.168.178.1
interface GigabitEthernet1/0/1
ip access-group 100 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide