ACCESS LIST problems, Please review and recommendations

All,

Here is my project:

In building 10, I will be installing a new Access switch 3750 and creating a new VLAN 50, and trunk it to a 4000 Distrubtion switch. From the 4000 switch it trunks to a Core 6509 with a MSFC.

I want to permit users on VLAN 50 (my new vlan) only to certain servers 10.50.26.1, 172.34.6.1, etc.

Here is my process and steps

Create Vlan 50 on the MSFC

VLAN 165.186.252.5 255.255.225.0 done and already tested

access-list 125 deny ip any host 165.186.252.5 access-list 125 deny ip any 10.50.26.0 0.0.0.255 access-list 125 permit ip any any

int vlan 50 access-group 125 in

2nd part

If I have additional core/ distrubtion switches down stream will have to create access list across all of them?

We are running Transparent mode

Reply to
Trouble
Loading thread data ...

In your example, you've indicated that you're applying ACL 125 on the inward direction on your new VLAN interface (with IP 165.186.252.5 /24)

Remember that inward on this interface means that the traffic that will be inspected by the ACL will be sourced from 165.186.252.0/24

With that in mind, look at the first line of your ACL.: - Deny IP traffic from ANY source to reach 165.186.252.5 - because the DESTINATION is 165.186.252.X, (not the source) - this line will never be "hit"

You could stated the first line as: access-list 125 deny ip host 165.186.252.5 any

However, I would suggest this ACL instead (based on your requirement to only reach cirtain servers) and still apply it as an incoming ACL on the VLAN 50 interface.

access-list 125 permit ip any host 10.50.26.1 access-list 125 permit ip any host 172.34.6.1 access-list 125 deny ip any any !

Reply to
jcottingim

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.