Configuring an Internal Deny ACL

Let’s configure the ACL for denying traffic from the Engineering server to the HR server and name the ACL, deny-hr:

CLI network-admin@Leaf1>acl-ip-create name deny-hr action deny scope local src-ip 192.168.10.2 src-ip-mask 24 dst-ip 192.168.200.3 dst-ip-netmask 24 proto ip src-port 55 dst-port 33 vlan 1505

To review the configuration, use the acl-ip-show command:

CLI network-admin@Leaf1>acl-ip-show name deny-hr layout vertical

name:                  deny-ip

id:                    b00011:20

action:                deny

proto:                 ip

src-ip:                192.168.10.2/24

src-port:              55

dst-ip:                192.168.200.3/24

dst-port:              33

vlan:                  1505

scope:                 local

port:                  0

Now, when you attempt to access the Finance server from the Engineering server, the packets are dropped.