ACCESS LIST problems, Please review and recommendations


Here is my project:

In building 10, I will be installing a new Access switch 3750 and creating a new VLAN 50, and trunk it to a 4000 Distrubtion switch. From the 4000 switch it trunks to a Core 6509 with a MSFC.

I want to permit users on VLAN 50 (my new vlan) only to certain servers,, etc.

Here is my process and steps

Create Vlan 50 on the MSFC

VLAN done and already tested

access-list 125 deny ip any host access-list 125 deny ip any access-list 125 permit ip any any

int vlan 50 access-group 125 in

2nd part

If I have additional core/ distrubtion switches down stream will have to create access list across all of them?

We are running Transparent mode

Reply to
Loading thread data ...

In your example, you've indicated that you're applying ACL 125 on the inward direction on your new VLAN interface (with IP /24)

Remember that inward on this interface means that the traffic that will be inspected by the ACL will be sourced from

With that in mind, look at the first line of your ACL.: - Deny IP traffic from ANY source to reach - because the DESTINATION is 165.186.252.X, (not the source) - this line will never be "hit"

You could stated the first line as: access-list 125 deny ip host any

However, I would suggest this ACL instead (based on your requirement to only reach cirtain servers) and still apply it as an incoming ACL on the VLAN 50 interface.

access-list 125 permit ip any host access-list 125 permit ip any host access-list 125 deny ip any any !

Reply to
jcottingim Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.