Unsolved
4 Posts
0
669
January 25th, 2021 09:00
N1524 Access Lists
Hi,
I'm not sure how to achieve the below:
I have port Gi1/0/13 which has local IP 192.168.100.1, and should be able to access the whole internet, however, it should only be accessed from 1.2.3.4 from the internet.
How would I achieve this?
My current config is like this:
ip access-list test
permit ip any 1.2.3.4 0.0.0.0
deny every
exit
....
interface Gi1/0/13
spanning-tree portfast
switchport access vlan 3
ip access-group test in 1
exit
It, however, seems to only be able to receive incoming traffic this way.
Any help would be appreciated.
0 events found
No Events found!
DELL-Josh Cr
Moderator
•
9.5K Posts
0
January 25th, 2021 14:00
Hi s_dekkers,
Are you connecting this switch directly to the internet or is it going through a router? Your deny all clause will block all of the traffic that isn’t explicitly permitted, so you have to do a permit statement for all of the other traffic. Page 277 https://dell.to/3c9Mu9K
s_dekkers
4 Posts
0
January 26th, 2021 01:00
Hi,
This switch is going through a datacenter provided gateway, so no configuration other than the configuration we can do on the switch is possible.
The idea of the access-lists is to deny any IP but 1.2.3.4 to access this interface as it hosts the idrac webinterface. It should however not block other traffic (initiated from Gi1/0/13 to the internet)
Thanks,
DELL-Stefan R
Moderator
•
790 Posts
1
January 26th, 2021 05:00
Hi s_dekkers,
I opened an internal ticket for this request, as soon as I get a reply or Josh is back online, we will contact you again.
BR
Stefan
DELL-Stefan R
Moderator
•
790 Posts
0
February 3rd, 2021 03:00
Hi s_dekkers.
I received some assist on the case, here is what I'd like you to check.
Looking at the current config,
ip access-list test
permit ip any 1.2.3.4 0.0.0.0
deny every
exit
Syntax(ACL)
[sequence-number]{deny | permit} {ipv4-protocol | 0-255 | every} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport}} | {eq | neq | lt | gt} {portkey | 0-65535} ] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport}} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [icmp-type icmptype [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} interface-id] [rate-limit rate burst-size
Based on the syntax above it should be:
permit ip 1.2.3.4 0.0.0.0 any (source ip followed by destination) as you require it from the particular host 1.2.3.4)
For the outbound ACL:
permit ip (src IP -could be the IP of the Gi1/0/13 interface- 192.168.100.1 or any) any any
Please provide the outputs of 'show ip access-lists test' before and after making this change.
BR
Stefan