Access List on L2 swicth

Answered Question
Dec 8th, 2009

hi,

If we need to control traffic entering  an interface of  L2 switch port can we create an access list and apply just like router to switch gigabit ports?

Example : named access list telnet_access_only

int gi0/0

ip access-group telnet_access_only in

With this access list if we allow only telnet traffic to enter the port and default "deny all" at the end.

Host connected to gig0/0 will be able to make only telnet connection as mentioned in the accesslist. is this correct? Most likely it is correct.

If we need to apply similar access-list to all ports in a particular VLAN on the L2 swicth. and If we apply this access-list to vlan interface will it get applied to all ports those are member of that particular VLAN.

int vlan 10

ip access-group telnet_access_only in

In this case will the access list will allow only telnet traffic to enter ( all VLAN 10 member ports )  and will block rest of all as mentioned in access-list.

Is this understanding correct?

Thanks

Subodh

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 month ago

bapatsubodh wrote:

hi,

If we need to control traffic entering  an interface of  L2 switch port can we create an access list and apply just like router to switch gigabit ports?

Example : named access list telnet_access_only

int gi0/0

ip access-group telnet_access_only in

With this access list if we allow only telnet traffic to enter the port and default "deny all" at the end.

Host connected to gig0/0 will be able to make only telnet connection as mentioned in the accesslist. is this correct? Most likely it is correct.

If we need to apply similar access-list to all ports in a particular VLAN on the L2 swicth. and If we apply this access-list to vlan interface will it get applied to all ports those are member of that particular VLAN.

int vlan 10

ip access-group telnet_access_only in

In this case will the access list will allow only telnet traffic to enter ( all VLAN 10 member ports )  and will block rest of all as mentioned in access-list.

Is this understanding correct?

Thanks

Subodh

Subodh

Yes you can apply an access-list to an interface on a L2 switch using IP addresses and port numbers, or at least the modern L2 switches. And yes if you wanted to apply the acl to all members of a vlan you would apply it to the vlan interface.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 12/08/2009 - 11:33

bapatsubodh wrote:

hi,

If we need to control traffic entering  an interface of  L2 switch port can we create an access list and apply just like router to switch gigabit ports?

Example : named access list telnet_access_only

int gi0/0

ip access-group telnet_access_only in

With this access list if we allow only telnet traffic to enter the port and default "deny all" at the end.

Host connected to gig0/0 will be able to make only telnet connection as mentioned in the accesslist. is this correct? Most likely it is correct.

If we need to apply similar access-list to all ports in a particular VLAN on the L2 swicth. and If we apply this access-list to vlan interface will it get applied to all ports those are member of that particular VLAN.

int vlan 10

ip access-group telnet_access_only in

In this case will the access list will allow only telnet traffic to enter ( all VLAN 10 member ports )  and will block rest of all as mentioned in access-list.

Is this understanding correct?

Thanks

Subodh

Subodh

Yes you can apply an access-list to an interface on a L2 switch using IP addresses and port numbers, or at least the modern L2 switches. And yes if you wanted to apply the acl to all members of a vlan you would apply it to the vlan interface.

Jon

milan.kulik Wed, 12/09/2009 - 08:52

Hi Jon,

I'm afraid you are not correct here.

When applying ACLs on a pure L2 switch, you can apply it only on a physiscal interface or management interface with many restrictions (like "All ACEs in an ACL must have the same user-defined mask"), see "Guidelines for Applying ACLs to Physical Interfaces" section of

https://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

(Some lates L2 switches - 2960s, e.g., seem to decrease the number of restriction though.)

Even when applying an ACL on an L3 switch, there are some restrictions, see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1285529

And definitely applying an access-list to vlan interface will NOT get it applied to all ports those are member of that particular VLAN!

int vlan 10

ip access-group telnet_access_only in

will apply the ACL on the virtual L3 int vlan 10 only, i.e., any non-telnet traffic which remains within VLAN10 will NOT be dropped when coming to a physical interface assigned to VLAN10.

BR,

Milan

Jon Marshall Wed, 12/09/2009 - 09:47

milan.kulik wrote:

Hi Jon,

I'm afraid you are not correct here.

When applying ACLs on a pure L2 switch, you can apply it only on a physiscal interface or management interface with many restrictions (like "All ACEs in an ACL must have the same user-defined mask"), see "Guidelines for Applying ACLs to Physical Interfaces" section of

https://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html#wp1082773

(Some lates L2 switches - 2960s, e.g., seem to decrease the number of restriction though.)

Even when applying an ACL on an L3 switch, there are some restrictions, see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1285529

And definitely applying an access-list to vlan interface will NOT get it applied to all ports those are member of that particular VLAN!

int vlan 10

ip access-group telnet_access_only in

will apply the ACL on the virtual L3 int vlan 10 only, i.e., any non-telnet traffic which remains within VLAN10 will NOT be dropped when coming to a physical interface assigned to VLAN10.

BR,

Milan

Milan

No need to be afraid, we all make mistakes

Not sure i follow the first point. I said you could apply an acl to a L2 port ie. physical interface and you seem to be saying the same thing yet you are saying i am wrong.

I also never said there weren't restrictions, but then that was not the question was it ?

I agree with the last point although not actually for the reasons you give. It's not to do with vlan traffic remaining within the vlan because i really don't think that was what Subodh was referring to. I think he was referring to traffic coming in from another vlan. Because it's a L2 switch obviously the vlan interface is not the gateway for the ports in the same vlan on the switch.

Subodh - apologies for the misleading statement on the vlan interface. What i said would apply to a L3 switch with a vlan interface but not to a L2 switch.

Jon

milan.kulik Wed, 12/09/2009 - 11:56

Hi Jon,

ok, your original answer was not incorrect.

But as the original question was

"If we need to control traffic entering  an interface of  L2 switch port can we create an access list and apply just like router to switch gigabit ports?"

then the answer

"Yes you can apply an access-list to an interface on a L2 switch using IP addresses and port numbers, or at least the modern L2 switches."

is IMHO a little misleading and requires a comment "but with many restrictions".

Regarding the second question:

IMHO, the referring traffic could not be coming in from another VLAN, as the command was

int vlan 10

ip access-group telnet_access_only in

i.e., traffic incoming from the same VLAN10.

So I'm not sure what situation had been mentioned: Either a management VLAN interface on an L2 switch or an L3 SVI on an L3 switch?

BR,

Milan

Jon Marshall Wed, 12/09/2009 - 12:25

Milan

Yes you can apply an access-list to an interface on a L2 switch using IP addresses and port numbers, or at least the modern L2 switches."

is IMHO a little misleading and requires a comment "but with many restrictions".

Fair point, i agree that it is a little misleading without adding the bit about the limitations.

So I'm not sure what situation had been mentioned: Either a management VLAN interface on an L2 switch or an L3 SVI on an L3 switch?

Good point, i hadn't registered that the acl was applied inbound and therefore would only apply to clients on that vlan. I assumed that it was

a) a L3 switch interface

and because of this

b) that therefore the acl was applied outbound.

That will teach me to be a bit more careful

Thanks for the corrections.

Jon

Jon Marshall Wed, 12/09/2009 - 12:30

Subodh

Apologies for making a bit of a mess of this answer. Thanks to Milan for clarifying -

1) Yes you can apply an acl to a L2 interface but as Milan pointed out there are quite a few restrictions compared to a standard router acl

2) On a L2 switch the vlan interface is not used to control access to the clients on the switch even if they are in the same vlan. So applying an acl to the L3 SVI on a L2 switch would not control access to all the ports within that vlan.

On a L3 switch where the L3 SVI is actually responsible for forwarding traffic for that vlan you can restrict traffic to all ports within the vlan by using an acl on the L3 SVI but you would apply it outbound and not inbound.

Jon

bapatsubodh Wed, 12/09/2009 - 14:19

Hi,

So finally if I need to control the traffic ( not too complicated control ) on the L2 swicth we need following steps

1. Create access list for example telnet-access-only (  Traffic is entering the ethernet port from the PC connected to this PORT.  We need this PC to connect to AIX only by either telnet or SSH. )

2. And then apply this access-list individualy to each physical interface and not the VLAN interface. This VLAN interface is NOT the default gateway of the

hosts those are member of this VLAN.

int gig 0/0

ip access-group telnet-access-only in  ( this will allow only telnet from the PC connected to gig0/0 and will drop any other traffic )

3. If this is L3 swicth then I can apply access-list to VLAN interface and that will apply to all ports those are member of this VLAN.

int vlan 10

ip access-group telnet-access-only

This will apply telnet-access-onlt to all ports those are member of VLAN 10. So PC in the VLAN 10 will be allowed onlt to use telnet and nothing else.

I think I got all points correct.

Please let me know if I am correct.

Thanks

Subodh

milan.kulik Thu, 12/10/2009 - 00:15

Hi Subodh,

ad 1. and 2. - correct

ad 3. it depends on the direction you apply the ACL

int vlan 10

ip access-group telnet-access-only in

will apply the ACL on the traffic leaving  VLAN10 only.

I.e., any traffic (MS neighbor browsing or Ping, e.g.) between PCs inside VLAN10 will still be allowed.

int vlan 10

ip access-group telnet-access-only out

will apply the ACL on the traffic entering  VLAN10 (from other routed VLANs) only.

I.e., only Telnet traffic will be allowed to enter VLAN10 from other routed VLANs.

If you want to allow all PCs in the VLAN 10 to use telnet and nothing else, you need to apply

int gig x/y

ip access-group telnet-access-only in

on each interface gig x/y to which those PCs are connected.

You can use

interface range command to save some time if configuring multiple interfaces with the same parameters

(see http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_se/configuration/guide/swint.html#wp1050439 )

BR,

Milan

bapatsubodh Thu, 12/10/2009 - 04:42

Hi Milan.Kulik,

Ya, I understood. L3 swicth VLAN interface is like router interface it need the direction to be configured  so that it will apply the access-list rules in corresponding direction.

Thanks again

Subodh

Actions

This Discussion