Wired Intelligent Edge

Hi all,

Having this ACL problem on a 2930F.

I want to permit

• SSH access from 192.168.100.130 to 192.168.100.83
• UDP access from 192.168.100.83 to 192.168.100.87

Block all the rest. 

192.168.100.83 and 192.168.100.87 are IP addresses are on the same VLAN on the 2930F switch.

I am sitting on 192.168.100.130 which is another VLAN routed by a Firewall via intervlan routing.

I have this 

ip access-list extended "Permit SSH and UDP, Deny all"

10 permit tcp 192.168.100.130 0.0.0.0 192.168.100.83 0.0.0.0 eq 22 log

20 permit udp 192.168.100.83 0.0.0.0 192.168.100.87 0.0.0.0 eq 514 log

30 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 

The above permits udp packets from 192.168.100.83 to 192.168.100.87 (I can see it in the syslog) but I am not able to access 192.168.100.83 from 192.168.100.130

Any ideas?

Hello SHtan,

If you have applied the ACL inbound direction you have to modify the traffic to its proper vlan.

E.g. If the device 192.168.100.130 is in another vlan and you have applied this on its vlan it is ok but from the perspective 192.168.100.83->192.168.100.130 is it allowed in its vlan?

Hope this helps!

Thanks for your reply! That means I'll need two ACLs; one for the first VLAN containing 192.168.1.83 and another for the second VLAN containing 192.168.1.130? Should the ACLs be applied as VLAN ACLs or interface ACLs?

First time doing this - sorry for the bother!

Hello SHtan,

Exactly, you need proper ACL for each vlan and apply to it coordingly.

Hope this helps!