Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3455
Views
5
Helpful
6
Replies

ACL on same subnet?

Go to solution
qbakies11
Level 1
Level 1

‎12-05-2008 09:00 AM - edited ‎03-06-2019 02:49 AM

I have a single server to which I need to limit access. Without completely tearing down and rebuilding my network with proper segmentation (which I plan on doing next year) is there a way I can do this with my current equipment and layout? I have:

*1 subnet (192.168.0.1) for LAN which includes servers, printers, and PCs

*3548XL Catalyst switches

*1 2811 router

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to qbakies11

‎12-05-2008 12:46 PM

Then things are a lot simpler.

Do you know which vlan all the ports are in on your 3548 switch ? Please post output of

3548# sh vlan

To then create a new vlan that is routed these are the basic steps

1) Choose a new IP subnet - eg. 192.168.5.0/24

2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811

int fa0/1

ip address 192.168.5.1 255.255.255.0

no shut

3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -

3548# vlan database

3548(vlan)# vlan 2 name server_vlan

3548(vlan)# apply

4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2

3548(config)#int fa0/1

3548(config-if)# switchport access vlan 2

5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.

These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).

After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.

If you need help with the access-lists once you have done the above let us know.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
sachinraja
Level 9
Level 9

‎12-05-2008 09:11 AM

Hello Quinton..

It is a tedious job to restrict access on layer 2.. you can use private VLANs, but you must be very sure of what traffic should flow between your end devices ! You can also use layer 2 or mac based vlans, but your switch seems to be too old for it ! try your luck.. see if you have "mac access-list" commands.. you can define these ACL's and apply it on the relevant port... This URL might help you:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

I think you can bifurcate the LAN, instead of doing this complex stuff, and get it going on Layer 3 access-controls..

Hope this helps.. all the best..

Raj

Go to solution
qbakies11
Level 1
Level 1
In response to sachinraja

‎12-05-2008 11:36 AM

That's what I was afraid of, but thanks for the answer. Can you point me to a good explanation on creating VLANs for my subnet so I can get this thing segmented?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to qbakies11

‎12-05-2008 11:53 AM

Quinton

Here is a document showing how to use a switch and subinterfaces on a router to create and route between 2 vlans. If you have spare interface(s) on your 2811 then you don't need subinterfaces but i'm assuming you don't. (Note if you do let us know as it's a lot simpler).

Scroll down to the table showing 802.1q support in catalyst switches to make sure you have the correct IOS on your 3548XL. Also the router in this example doc is a 2600 but your 2800 will be fine -

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

For each vlan you need a different IP subnet.

Jon

0 Helpful

Go to solution
qbakies11
Level 1
Level 1
In response to Jon Marshall

‎12-05-2008 12:35 PM

I'm not using the Fe0/1 on my 2811.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to qbakies11

‎12-05-2008 12:46 PM

Then things are a lot simpler.

Do you know which vlan all the ports are in on your 3548 switch ? Please post output of

3548# sh vlan

To then create a new vlan that is routed these are the basic steps

1) Choose a new IP subnet - eg. 192.168.5.0/24

2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811

int fa0/1

ip address 192.168.5.1 255.255.255.0

no shut

3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -

3548# vlan database

3548(vlan)# vlan 2 name server_vlan

3548(vlan)# apply

4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2

3548(config)#int fa0/1

3548(config-if)# switchport access vlan 2

5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.

These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).

After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.

If you need help with the access-lists once you have done the above let us know.

Jon

0 Helpful

Go to solution
qbakies11
Level 1
Level 1
In response to Jon Marshall

‎12-05-2008 12:54 PM

Extremely helpful, thank you! I'll work on this and post any other questions.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card