Req: Deny ip address range per interface by name access-list

Answered Question
Dec 19th, 2009

Dear Experts,

I need deny ip address range on per interface in cisco 3550 48P switch. by name access-list.

My diagram as given bellow.


interface Port 1 uplink
interface Port 2 uplink

interface port 3 to 48 connected with different IP DSLAMs to different customers.

interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254

all the interface ports are in same VLAN (Vlan-2)

I need on interface  port 3 deny ip range 172.16.51.1 to 254(which is port 4 customers) and 172.16.49.1 to 254 (which is port 5 customers)
          on interface port 4 deny ip range 172.16.47.1 to 254(which is port 3 customers) and 172.16.49.1 to 254 (which is port 5 customers)
          on interface port 5 deny ip range 172.16.47.1 to 254(which is port 3 cus) and 172.16.51.1 to 254 (which is port 4 cus)

how can i make name access-list to deny ip address on per interface.

we assigned all ip address to customers pc not in cisco 3550 switch.

so how can i deny ip address by access-list. inter port 3 deny ip range of inter port 4 and 5 and on interface port 4 deny ip range of port 3 and 5.


so please hlp me regarding above mention details.

Thanks in ADV,

Vaib...

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 11 months ago

Hi Vaibhav,

It should work, just check for deny mac-address as you are applying on all interface because acl permitted ip is not having the same mac-address.

Before doing nay changes take complete backup of the switch and also have roll back plan in hand.

All the best  !!

Regards

Ganesh.H

Correct Answer by Ganesh Hariharan about 6 years 11 months ago

Hi Vaibhav,

check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.

IP access-list extended client1port3

permit ip 172.16.47.0  0.0.0.255  host 172.16.0.1

permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Permittedips " 10

-map# match ip address client1port3

-map#action permit

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 20

-map#match ip address client1port4

-map#action permit

For port 5

ip access-list extended client1port5

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 30

-map#match ip address client1port5

-map#action permit

Vlan filter Permittedips vlan-list2

Hope this helps out your problem !!

Regards

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Leo Laohoo Sat, 12/19/2009 - 03:44


access-list extended badabing
permit ip any 10.16.47.0 0.0.0.255

int f0/3
access group badabing out

access-list extended badaboom
permit ip any 10.16.51.0 0.0.0.255

int f0/4
access-group badaboom out

access-list extended kapow
permit ip any 10.16.49..0 0.0.0.255

int f0/5
access-group kapow out

There's an explicit deny any any at the end so the ACLs allow only the IP address you want and the rest is denied.

Message was edited by: leolaohoo

Ganesh Hariharan Sat, 12/19/2009 - 06:26

Hi Vaibhav,

I have few query as you said you want to deny ip address as per the ip address on per port basis bu as per your below statement:-

My diagram as given bellow.


interface Port 1 uplink
interface Port 2 uplink

interface port 3 to 48 connected with different IP DSLAMs to different customers.

interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254

all the interface ports are in same VLAN (Vlan-2)

All these ports are L2 ports and are assigned to vlan 2 or all these ports are assigned with an ip address in the above mentioned range.

Please clarify !!

Regards
Ganesh.H

csawest.dc Sat, 12/19/2009 - 23:06

Dear Ganesh,

All these ports are L2 ports and are assigned to vlan 2 only, no assigned ip address on vlan2 interface cause all the ports connected with different Location IP DSLAM with different IP addresses.


cisco 3550 port 1 is uplink from billing server-1 ip 172.16.0.1

cisco 3550 port 2 is uplink from billing server-2 ip 172.16.0.2

and other interface from 3 - 48 ports connected with IP DSLAM as a uplink at different location

we need if interface port 3 customers ip 172.16.47.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other inter port ip needs to  deny

interface port 4 ip 172.16.51.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other iner port needs to  deny.

So pl help me how can make this.

all the ip address are assigned at customers pc only not in vlan interface or interface port.

Thanks in ADV,

Vaib...

csawest.dc Sun, 12/20/2009 - 21:41

Dear Ganesh,

Thanks for  your great help,

But unfortunately i dont understand how can i configure VLAN map in cisco 3550 in global mode and also interface mode.

in this switch port 1 as a uplink from billing server 1 (ip 172.16.0.1) , interface port 2 as a uplink from billing server 2 (ip 172.16.0.2)

My requirement is switchport from 3 to 48 users needs to access both the server ok.

interfface port 3 to 48 users ip pool is different and it's assigned their pcs only.

all the interface from 1 to 48 have access vlan 2 only.

interface port 3 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers (172.16.47.1 to 254) and other ip address needs to deny.

interface port 4 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers  (172.16.51.1 to 254) and other ip address needs to deny.

so pl hlp me regarding above mention details.

Thanks in ADV,

Vaib...

Ganesh Hariharan Sun, 12/20/2009 - 22:18

Hi Vaibhav,

As you said all switch ports are in same vlan 2 rite but ip address connected to ports from 3 to 48 are different.

Create access-list for every subnet let me share you one of the example:-

IP access-list extended client1port3

permit ip 172.16.47.0/24 172.16.0.1

permit ip 172.16.47.0/24 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit vlan-list 2

The above vlan access map need to be applied in vlan 2 and it will permit only to two servers only and rest will be denied.so for every subnet you need to creat access list and in the above manner just permit them for specific server as implicit deny will be there so no other can communicate.

Hope this will help your query !!

Regards

Ganesh.H

csawest.dc Sun, 12/20/2009 - 23:06

Dear Ganesh,

Dear Sir, i again confuse (sorry for that ) ,cause u said i need to apply on vlan interface 2.

IP access-list extended client1port3

permit ip 172.16.47.0/24 172.16.0.1

permit ip 172.16.47.0/24 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit vlan-list 2

The above vlan access map need to be applied in vlan 2  but sir all the port are access trhorug vlan 2 (port 1 to 48) this above vlan access-map "serverpermit" needs to apply on vlan 2 for port 3 only. and for other from 4 to 48 ?? apply access-map on interface vlan 2 ?? how can ??

Can i do this ?? for port 3

IP access-list extended client1port3

permit ip 172.16.47.0 0.0.0.255 any

permit ip 172.16.0.1 0.0.0.0  any

permit ip 172.16.0.2 0.0.0.0 any

deny ip any any

and apply to this access list on int port 3 ???

for port 4

ip access-list extended client1port4

permit ip 172.16.51.0 0.0.0.255 any

permit ip 172.16.0.1 0.0.0.0 any

permit ip 172.16.0.2 0.0.0.0 any

deny ip any any

and apply to this access-list on port 4 ??

Please let me know

Thanks in ADV,

Vaib...

Ganesh Hariharan Sun, 12/20/2009 - 23:17

Hi Vaibhav,

Vlan access map applies only on vlan,as per your requirenment all your ports are in common vlan that is vlan no 2 and having different ip subnet coming to the switch port.

create an extended ip access list for port3 ip subnet just permitting for two servers only and rest will be denied.

IP access-list extended client1port3

permit ip 172.16.47.0/24 host 172.16.0.1

permit ip 172.16.47.0/24 host 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit  vlan-list 2

As soon as you deploy the above config in vlan 2 it will permit ip subnet 172.16.47.0/24 to allow talk with uplink servers only and rest will be denied.

So before applying the vlan access-map kindly check the acl throughly for all subnet otherwise traffic will be denied as an implicit deny statement.

As you can see in bold vlan access-map is applied to vlan in the switch.

Hope this helps

Regards

Ganesh.H

csawest.dc Sun, 12/20/2009 - 23:48

Dear Ganesh,

Pl check my bellow mention templates for port 3 , 4 , and 5

for port 3

IP access-list extended client1port3

permit ip 172.16.47.0  0.0.0.255  host 172.16.0.1

permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Serverpermit3 "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit3  vlan-list 2

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map serverpermit 10

-map#match ip address-clientport4

-map#acetion permit

for port 5

ip access-list extended client1port5

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map serverpermit 20

-map#match ip address-clientport5

-map#acetion permit

Vlan filter serverpermit vlan-list2    (for all port from port 3 to 48)

please check my above configure templates it is right or needs to do any changes ??

Thanks in adv,

Vaib...

Correct Answer
Ganesh Hariharan Mon, 12/21/2009 - 01:25

Hi Vaibhav,

check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.

IP access-list extended client1port3

permit ip 172.16.47.0  0.0.0.255  host 172.16.0.1

permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Permittedips " 10

-map# match ip address client1port3

-map#action permit

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 20

-map#match ip address client1port4

-map#action permit

For port 5

ip access-list extended client1port5

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 30

-map#match ip address client1port5

-map#action permit

Vlan filter Permittedips vlan-list2

Hope this helps out your problem !!

Regards

Ganesh.H

csawest.dc Mon, 12/21/2009 - 04:19

Dear Ganesh,

Thanks you very much for your extreamly great support i am very much appreciate about that.

Now i will try to do this within couple of days and then let you know what happend.

Thanks Once again!!!

Cheers!!!

Vaib...

csawest.dc Tue, 12/22/2009 - 21:33

Dear Ganesh,

I made bellow mention configure templates of  three different location customers in cisco 3550 for three different ports. 3 , 4 , 5.

should i need to apply on interface ip access-group sanchar in ( on port 3 ) ??

                                                   ip access-group AD in (on port 4) ??

                                                   ip access-group TELECOM in (on port 5) ??

bcz if port 3 (sanchar) customers given by mistake ip address range of AD DSLAM they are access 172.16.0.1 and 2 i think cause they are in same VLAN.

bcz if they are given (port 3 customers) ip address of port 4 ip range that time they dont allow to access both the server. or port 5 users if given ip address range of port 3 that time they also need to deny to access both the server.

For Sanchar DSLAM  ( port 3)

ip access-list extended Sanchar
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

FOr AD DSLAM (port 4)

ip access-list extended AD
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 2
-map#match ip address AD
-map#action forward


For TELECOM DSLAM

ip access-list extended TELECOM
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 3
-map#match ip address TELECOM
-map#action forward

Vlan filter Permittedips vlan-list 2

Thanks in ADV,

Vaib...

Ganesh Hariharan Tue, 12/22/2009 - 22:09

Hi Vaibhav,

As per applying VACL it only applies in VLAN not in any port like normal acl and as you have already stated all your ports are in same vlan that is 2.

so as per the configuration below three ACL will be checked sequence wise once you apply that vlan access map in vlan 2.

I will just clear with one of the example of your config:-

ip access-list extended Sanchar
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

Vlan filter Permittedips vlan-list 2

Above sample config will work when ever there is traffic from permiited source ip in  vlan 2 to specific destination will be permitted and all other will be denied.

All the traffic coming in into vlan 2 will go through vlan access map with matched ip access list and if matched there action will be taken as per the Vlan access map.

Hope that clear your doubt and query !!

Regards

Ganesh.H

csawest.dc Tue, 12/22/2009 - 22:24

Dear Ganesh,

but sir if suppose port 3 customers (sanchar) given ip address of port 4 range (AD) ok  after they are also access both the server ok

i need if port 3 customers given by mistake ip address of port 4 range then they are not access to both the server thats why i need to

apply ip access-group xxxx in command.

what you suggest to me ??

Pl guide me.

Thanks in ADV,

Vaib...

csawest.dc Wed, 12/23/2009 - 04:38

Dear Ganesh,

Please suggest me my last  confution that is,

but sir if suppose port 3 customers (sanchar) given ip address of port 4 range (AD) ok  after they are also access both the server cause all the ports are same VLAN and configure to access both server ips that's why,

i need if port 3 customers given by mistake ip address of port 4 range then they are not access to both the server thats why i need to

bellow mention command. i dont know it is realy need to apply or not.

should i need to apply  on per interface  ip access-group xxxx in command.

what you suggest to me ??

Pl guide me.

Thanks in ADV,

Vaib...

Ganesh Hariharan Wed, 12/23/2009 - 07:11

Sorry Vaibhav,

Got struck in a meeting that why unable to answer your query.First clear me how the port 3 user will get the ip address of the port 4 users.

And as your config. also says port3,port4 and port5 user need to access only the above said servers.

and ip access-gropu command need to apply on an interface,here all your switch ports are L2 ports.So my suggestion is you have created 3 acl for three ports customer ip address permitting for the two servers.

Apply the vlan acces-map in vlan 2 and check that those partcular ip are only talking to server not even to other port user ip address also.

Once you faces any issue after applying vlan acces map in vlan to roll back or to delete the vlan acess-map just remove from the vlan where you have applied.

no vlan filter vlan 2 this will be the command to make as usual what is the current traffic flow.

Hope that clears your query !!

Regards

Ganesh.H

csawest.dc Wed, 12/23/2009 - 20:51

Dear Ganesh,

You are G-Gentleman person!!!

Now i have two query

1 some of the users have access from their office  and home also with same IP with their userID ok

  their office connected with port 3 and their home connected port 5.

  Now our planning to stop it. they are not able to connect same ip from both the port, only permit when they are connect with perticulary port which is connect with permited ip in this port.

2.  now these days we are facing huge problem when flooding occure from our customers or loop generate by mistake in their local swtich at customers end.

The problem is when flooding occure from any ports that time our server is hange or slow and effect to our all costmers they are not able to ping our server from our customers,

So how can stop it or control per port when flooding occure that time that port shutdown so that's why no any effect to other customers.

at present in cisco 3550 more than 60 users connected per port.

So how can i solve this issue when flooding or loop generate to control or stop, i need maximum security per port.

Thanks in ADV,

Vaib...

Ganesh Hariharan Wed, 12/23/2009 - 21:50

Dear Vaibhav,

For the below mentioned query i will suggests don't go with vlan access map as vlan access map will filter the traffic as per the acl match from any port tarffic is coming in to vlan.

Check out the following links for acl on port based and strom control methods in switches for both the queris you have asked.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sec_ipacls.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_se/configuration/guide/swtrafc.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swv6acl.html

Hope this resolves your query !!

Regards

Ganesh.H

csawest.dc Wed, 12/23/2009 - 22:18

Dear Ganesh,

Please check my configuration templates in cisco 3550 from port 3 to 48 which is connected with DSLAM, accept port 1 and 2 both are uplink port connected with both the server.

What you suggest me my bellow config templates ??? needs to chang ??

CONFIGURATION IN  GLOBAL MODE :

mac access-list extended Block-Invalid-Frames
deny   any host 0180.c200.0000
deny   any host 0180.c200.0001
deny   any host 0180.c200.0002
deny   any host 0180.c200.0003
deny   any host 0100.0c00.0000
deny   any host 0100.0ccc.cccc
deny   any host 0100.0ccc.cccd
deny   any host 0100.0ccd.cdce
deny   any host 0100.0ccd.cdd0
permit any any

For Sanchar DSLAM   on port 3

ip access-list extended Sanchar
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

FOr AD DSLAM        on port 4

ip access-list extended AD
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 2
-map#match ip address AD
-map#action forward

 
For TELECOM DSLAM   on port 5

ip access-list extended TELECOM
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 3
-map#match ip address TELECOM
-map#action forward


Vlan filter Permittedips vlan-list 2

configuration on INTERFACE MODE :

interface FastEthernet0/3

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group sanchar in
no cdp enable

interface FastEthernet0/4

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group AD in
no cdp enable

interface FastEthernet0/5

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group TELECOM in
no cdp enable

Please hlp me regarding above mention config telplates.

Thanks once again!!!

Vaib...

Correct Answer
Ganesh Hariharan Wed, 12/23/2009 - 23:09

Hi Vaibhav,

It should work, just check for deny mac-address as you are applying on all interface because acl permitted ip is not having the same mac-address.

Before doing nay changes take complete backup of the switch and also have roll back plan in hand.

All the best  !!

Regards

Ganesh.H

csawest.dc Wed, 12/23/2009 - 23:29

Dear Ganesh,

Ok sir I will try to do this within couple of days and then let you know  what heppand.

anyways thanks a lot for your great support.

Have a Nice day!!!

Cheers!!!

Vaib...

Actions

This Discussion