Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
10
Helpful
3
Replies

Understanding ACL commands

Go to solution
JanRother37047
Level 1
Level 1

‎07-27-2021 03:36 AM

Hi, 

 

I want to create a rule for a specific port on a 3650. I want to allow all traffic within a VLAN (lets assume VLAN 10, ip address 192.168.178.254 255.255.255.0) expect for one host (lets assume ip adresse 192.168.178.100).

 

This IP adress should only be allowed to talk to one other IP address (lets assume 192.168.178.1).

 

I can assure this PC will always be connected to the same gigabit ethernet interface. (through physical access limitation to the switch)

 

would these commands be correct?

 

en

#conf t

#access list 10 deny ip any any

#access list 10 permit 192.168.178.100 0.0.0.255 192.168.178.1

#(config) interface GigabitEthernet1/0/1
#(config-if) description restricted pc
#(config-if) switchport access vlan 10
#(config-if) switchport mode access
#(config-if) ip access group 10 out

#(config-if) ip access group 10 in

 

greetings

Jan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎07-27-2021 05:47 AM - edited ‎07-27-2021 05:47 AM

Hello

If you want that that port to allow any host with an ip of 192.168.178.100 to commincate host 192.168.178.1 then a port ACL (PACL) would be applicable, you would just require a permit ace statment for it

 

example:
access list 100 permit ip host 192.168.178.100 host 192.168.178.1
interface GigabitEthernet1/0/1
ip access group 100 in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-27-2021 04:30 AM

Look at VLANACL - is this what you looking i guess :

 

http://www.thepacketwizard.com/blog/2018/09/21/cisco-switch-vlan-acls-vacl/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-27-2021 05:47 AM - edited ‎07-27-2021 05:47 AM

Hello

If you want that that port to allow any host with an ip of 192.168.178.100 to commincate host 192.168.178.1 then a port ACL (PACL) would be applicable, you would just require a permit ace statment for it

 

example:
access list 100 permit ip host 192.168.178.100 host 192.168.178.1
interface GigabitEthernet1/0/1
ip access group 100 in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
reccon
Level 1
Level 1

‎07-27-2021 05:56 AM

If I got your question right, the following should work

(host 192.168.178.100 is connected to Gi1/0/1 an can only talk to host 192.168.178.1)

 

en
conf t

ip access-list extended 100
permit ip host 192.168.178.100 host 192.168.178.1

 

interface GigabitEthernet1/0/1
ip access-group 100 in

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card