Newbie ACL Help on Cisco Switch

Discussion in 'Cisco' started by Jake, Nov 10, 2005.

  1. Jake

    Jake Guest

    Im attempting to configure an ACL on a Cisco switch but it seems to be a bit
    different than the routers.

    I need to allow only one host to talk thru port 24 of my switch but it wont
    let me apply an ACL to a single port.
    So I need to apply it to VLAN1.

    I have 5 devices sitting behind port 24 - each with its own IP.
    I need to deny ALL but one IP from talking with the 5 hosts/IPs.

    How would the ACL look for this situation?

    Thanks in advance for any help!
     
    Jake, Nov 10, 2005
    #1
    1. Advertising

  2. In article <60ef$43738816$8b37f035$>,
    Jake <> wrote:
    :Im attempting to configure an ACL on a Cisco switch but it seems to be a bit
    :different than the routers.

    :I need to allow only one host to talk thru port 24 of my switch but it wont
    :let me apply an ACL to a single port.
    :So I need to apply it to VLAN1.

    Hmmm... ACLs on a switch, VLANs on the same switch, the possibility
    of applying ACLs to that VLAN.... explicit differentiation between
    'switch' and 'router'....

    My deduction is that you are either using an older switch with CatOS,
    or else that you are using a newer switch such as the Cat 2950 or
    Cat 3550 (or 3750, but you probably wouldn't have called that a 'switch'.)

    :I have 5 devices sitting behind port 24 - each with its own IP.
    :I need to deny ALL but one IP from talking with the 5 hosts/IPs.

    :How would the ACL look for this situation?

    If you are indeed using a 3550/3750, then the behaviour
    is different depending on whether the port is set to access mode or
    not. In switching mode, you can (if I recall correctly) apply
    ACLs per port; in access mode, the ACLs have to go on the VLAN.

    If you are using a 2950 or 3550/3750 and you have to apply the
    ACL to the VLAN, then if I correctly recall something I briefly
    skimmed in this newsgroup a few weeks ago, the ACL is applied
    *outgoing* on the VLAN.

    Something like...

    access-list 101 permit ip host SERVER host CLIENT1
    access-list 101 permit ip host SERVER host CLIENT2
    access-list 101 permit ip host SERVER host CLIENT3

    interface VLAN101
    ip access group 101 <mumble>


    However, if you -are- using a 3750 (or 3550?) then there is another
    facility entirely that you may wish to consider. The 3750 (and
    possibly other relatives) has a facility to define port groups
    in which all incoming data to any member of the port group is
    directed to a particular set of output ports, and only those output
    ports are allowed to send traffic to any member of the port group.
    In particular, the port group members are not allowed to send data
    amongst themselves directly... something that is easy to overlook
    if you use an ACL based scheme (e.g., if CLIENT1 sends to CLIENT2
    then does the traffic "exit" VLAN1 in such a way that the ACL
    gets interposed?)
    --
    Programming is what happens while you're busy making other plans.
     
    Walter Roberson, Nov 10, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doc Holliday
    Replies:
    5
    Views:
    763
    Ron Bandes
    Dec 28, 2003
  2. Shad T
    Replies:
    0
    Views:
    698
    Shad T
    Jun 29, 2004
  3. Trouble
    Replies:
    2
    Views:
    2,395
    RouterMan
    Feb 1, 2006
  4. Vimokh
    Replies:
    3
    Views:
    5,788
    Vimokh
    Sep 6, 2006
  5. essenz

    Switch ACL config (3550-SMI)

    essenz, Aug 25, 2009, in forum: Cisco
    Replies:
    0
    Views:
    733
    essenz
    Aug 25, 2009
Loading...

Share This Page