Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Newbie ACL Help on Cisco Switch

Reply
Thread Tools

Newbie ACL Help on Cisco Switch

 
 
Jake
Guest
Posts: n/a
 
      11-10-2005
Im attempting to configure an ACL on a Cisco switch but it seems to be a bit
different than the routers.

I need to allow only one host to talk thru port 24 of my switch but it wont
let me apply an ACL to a single port.
So I need to apply it to VLAN1.

I have 5 devices sitting behind port 24 - each with its own IP.
I need to deny ALL but one IP from talking with the 5 hosts/IPs.

How would the ACL look for this situation?

Thanks in advance for any help!







 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-10-2005
In article <60ef$43738816$8b37f035$(E-Mail Removed)>,
Jake <(E-Mail Removed)> wrote:
:Im attempting to configure an ACL on a Cisco switch but it seems to be a bit
:different than the routers.

:I need to allow only one host to talk thru port 24 of my switch but it wont
:let me apply an ACL to a single port.
:So I need to apply it to VLAN1.

Hmmm... ACLs on a switch, VLANs on the same switch, the possibility
of applying ACLs to that VLAN.... explicit differentiation between
'switch' and 'router'....

My deduction is that you are either using an older switch with CatOS,
or else that you are using a newer switch such as the Cat 2950 or
Cat 3550 (or 3750, but you probably wouldn't have called that a 'switch'.)

:I have 5 devices sitting behind port 24 - each with its own IP.
:I need to deny ALL but one IP from talking with the 5 hosts/IPs.

:How would the ACL look for this situation?

If you are indeed using a 3550/3750, then the behaviour
is different depending on whether the port is set to access mode or
not. In switching mode, you can (if I recall correctly) apply
ACLs per port; in access mode, the ACLs have to go on the VLAN.

If you are using a 2950 or 3550/3750 and you have to apply the
ACL to the VLAN, then if I correctly recall something I briefly
skimmed in this newsgroup a few weeks ago, the ACL is applied
*outgoing* on the VLAN.

Something like...

access-list 101 permit ip host SERVER host CLIENT1
access-list 101 permit ip host SERVER host CLIENT2
access-list 101 permit ip host SERVER host CLIENT3

interface VLAN101
ip access group 101 <mumble>


However, if you -are- using a 3750 (or 3550?) then there is another
facility entirely that you may wish to consider. The 3750 (and
possibly other relatives) has a facility to define port groups
in which all incoming data to any member of the port group is
directed to a particular set of output ports, and only those output
ports are allowed to send traffic to any member of the port group.
In particular, the port group members are not allowed to send data
amongst themselves directly... something that is easy to overlook
if you use an ACL based scheme (e.g., if CLIENT1 sends to CLIENT2
then does the traffic "exit" VLAN1 in such a way that the ACL
gets interposed?)
--
Programming is what happens while you're busy making other plans.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Switch ACL config (3550-SMI) essenz Cisco 0 08-25-2009 09:08 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Access List questions for ACL GURU's and Switch question Trouble Cisco 2 02-01-2006 02:23 PM
Cisco VPN Client 4.6.00.0049 to Cisco router 12.3.8T5, ACL's ? Ronald de Leeuw Cisco 1 11-25-2004 10:18 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments