Solved: Req: Deny ip address range per interface by name access-list

csawest.dc · ‎12-19-2009

Dear Experts,

I need deny ip address range on per interface in cisco 3550 48P switch. by name access-list.

My diagram as given bellow.

interface Port 1 uplink
interface Port 2 uplink

interface port 3 to 48 connected with different IP DSLAMs to different customers.

interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254

all the interface ports are in same VLAN (Vlan-2)

I need on interface port 3 deny ip range 172.16.51.1 to 254(which is port 4 customers) and 172.16.49.1 to 254 (which is port 5 customers)
on interface port 4 deny ip range 172.16.47.1 to 254(which is port 3 customers) and 172.16.49.1 to 254 (which is port 5 customers)
on interface port 5 deny ip range 172.16.47.1 to 254(which is port 3 cus) and 172.16.51.1 to 254 (which is port 4 cus)

how can i make name access-list to deny ip address on per interface.

we assigned all ip address to customers pc not in cisco 3550 switch.

so how can i deny ip address by access-list. inter port 3 deny ip range of inter port 4 and 5 and on interface port 4 deny ip range of port 3 and 5.

so please hlp me regarding above mention details.

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎12-21-2009

Hi Vaibhav,

check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.

IP access-list extended client1port3

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Permittedips " 10

-map# match ip address client1port3

-map#action permit

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 20

-map#match ip address client1port4

-map#action permit

For port 5

ip access-list extended client1port5

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 30

-map#match ip address client1port5

-map#action permit

Vlan filter Permittedips vlan-list2

Hope this helps out your problem !!

Regards

Ganesh.H

View solution in original post

Ganesh Hariharan · ‎12-23-2009

Hi Vaibhav,

It should work, just check for deny mac-address as you are applying on all interface because acl permitted ip is not having the same mac-address.

Before doing nay changes take complete backup of the switch and also have roll back plan in hand.

All the best !!

Regards

Ganesh.H

View solution in original post

Leo Laohoo · ‎12-19-2009

access-list extended badabing
permit ip any 10.16.47.0 0.0.0.255

int f0/3
access group badabing out

access-list extended badaboom
permit ip any 10.16.51.0 0.0.0.255

int f0/4
access-group badaboom out

access-list extended kapow
permit ip any 10.16.49..0 0.0.0.255

int f0/5
access-group kapow out

There's an explicit deny any any at the end so the ACLs allow only the IP address you want and the rest is denied.

Message was edited by: leolaohoo

Ganesh Hariharan · ‎12-19-2009

Hi Vaibhav,

I have few query as you said you want to deny ip address as per the ip address on per port basis bu as per your below statement:-

My diagram as given bellow.

interface Port 1 uplink
interface Port 2 uplink

interface port 3 to 48 connected with different IP DSLAMs to different customers.

interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254

all the interface ports are in same VLAN (Vlan-2)

All these ports are L2 ports and are assigned to vlan 2 or all these ports are assigned with an ip address in the above mentioned range.

Please clarify !!

Regards
Ganesh.H

csawest.dc · ‎12-19-2009

Dear Ganesh,

All these ports are L2 ports and are assigned to vlan 2 only, no assigned ip address on vlan2 interface cause all the ports connected with different Location IP DSLAM with different IP addresses.

cisco 3550 port 1 is uplink from billing server-1 ip 172.16.0.1

cisco 3550 port 2 is uplink from billing server-2 ip 172.16.0.2

and other interface from 3 - 48 ports connected with IP DSLAM as a uplink at different location

we need if interface port 3 customers ip 172.16.47.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other inter port ip needs to deny

interface port 4 ip 172.16.51.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other iner port needs to deny.

So pl help me how can make this.

all the ip address are assigned at customers pc only not in vlan interface or interface port.

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎12-20-2009

Hi Vaibhav,

As per my understanding all ports are in same vlan2 but each port is connected with different ip subnet.

Try configure vlan access map for permitting certain traffic inside a vlan and denying rest.

Check out the below link hope this helps

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Regards

Ganesh.H

csawest.dc · ‎12-20-2009

Dear Ganesh,

Thanks for your great help,

But unfortunately i dont understand how can i configure VLAN map in cisco 3550 in global mode and also interface mode.

in this switch port 1 as a uplink from billing server 1 (ip 172.16.0.1) , interface port 2 as a uplink from billing server 2 (ip 172.16.0.2)

My requirement is switchport from 3 to 48 users needs to access both the server ok.

interfface port 3 to 48 users ip pool is different and it's assigned their pcs only.

all the interface from 1 to 48 have access vlan 2 only.

interface port 3 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers (172.16.47.1 to 254) and other ip address needs to deny.

interface port 4 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers (172.16.51.1 to 254) and other ip address needs to deny.

so pl hlp me regarding above mention details.

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎12-20-2009

Hi Vaibhav,

As you said all switch ports are in same vlan 2 rite but ip address connected to ports from 3 to 48 are different.

Create access-list for every subnet let me share you one of the example:-

IP access-list extended client1port3

permit ip 172.16.47.0/24 172.16.0.1

permit ip 172.16.47.0/24 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit vlan-list 2

The above vlan access map need to be applied in vlan 2 and it will permit only to two servers only and rest will be denied.so for every subnet you need to creat access list and in the above manner just permit them for specific server as implicit deny will be there so no other can communicate.

Hope this will help your query !!

Regards

Ganesh.H

csawest.dc · ‎12-20-2009

Dear Ganesh,

Dear Sir, i again confuse (sorry for that ) ,cause u said i need to apply on vlan interface 2.

IP access-list extended client1port3

permit ip 172.16.47.0/24 172.16.0.1

permit ip 172.16.47.0/24 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit vlan-list 2

The above vlan access map need to be applied in vlan 2 but sir all the port are access trhorug vlan 2 (port 1 to 48) this above vlan access-map "serverpermit" needs to apply on vlan 2 for port 3 only. and for other from 4 to 48 ?? apply access-map on interface vlan 2 ?? how can ??

Can i do this ?? for port 3

IP access-list extended client1port3

permit ip 172.16.47.0 0.0.0.255 any

permit ip 172.16.0.1 0.0.0.0 any

permit ip 172.16.0.2 0.0.0.0 any

deny ip any any

and apply to this access list on int port 3 ???

for port 4

ip access-list extended client1port4

permit ip 172.16.51.0 0.0.0.255 any

permit ip 172.16.0.1 0.0.0.0 any

permit ip 172.16.0.2 0.0.0.0 any

deny ip any any

and apply to this access-list on port 4 ??

Please let me know

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎12-20-2009

Hi Vaibhav,

Vlan access map applies only on vlan,as per your requirenment all your ports are in common vlan that is vlan no 2 and having different ip subnet coming to the switch port.

create an extended ip access list for port3 ip subnet just permitting for two servers only and rest will be denied.

IP access-list extended client1port3

permit ip 172.16.47.0/24 host 172.16.0.1

permit ip 172.16.47.0/24 host 172.16.0.2

conft#vlan access-map "Serverpermit "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit vlan-list 2

As soon as you deploy the above config in vlan 2 it will permit ip subnet 172.16.47.0/24 to allow talk with uplink servers only and rest will be denied.

So before applying the vlan access-map kindly check the acl throughly for all subnet otherwise traffic will be denied as an implicit deny statement.

As you can see in bold vlan access-map is applied to vlan in the switch.

Hope this helps

Regards

Ganesh.H

csawest.dc · ‎12-20-2009

Dear Ganesh,

Pl check my bellow mention templates for port 3 , 4 , and 5

for port 3

IP access-list extended client1port3

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Serverpermit3 "

-map# match ip address client1port3

-map#action permit

vlan filter Serverpermit3 vlan-list 2

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map serverpermit 10

-map#match ip address-clientport4

-map#acetion permit

for port 5

ip access-list extended client1port5

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map serverpermit 20

-map#match ip address-clientport5

-map#acetion permit

Vlan filter serverpermit vlan-list2 (for all port from port 3 to 48)

please check my above configure templates it is right or needs to do any changes ??

Thanks in adv,

Vaib...

Ganesh Hariharan · ‎12-21-2009

Hi Vaibhav,

check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.

IP access-list extended client1port3

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2

deny ip any any

conft#vlan access-map "Permittedips " 10

-map# match ip address client1port3

-map#action permit

For port 4

ip access-list extended client1port4

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 20

-map#match ip address client1port4

-map#action permit

For port 5

ip access-list extended client1port5

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1

permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2

deny ip any any

config#vlan access-map "Permittedips" 30

-map#match ip address client1port5

-map#action permit

Vlan filter Permittedips vlan-list2

Hope this helps out your problem !!

Regards

Ganesh.H

csawest.dc · ‎12-21-2009

Dear Ganesh,

Thanks you very much for your extreamly great support i am very much appreciate about that.

Now i will try to do this within couple of days and then let you know what happend.

Thanks Once again!!!

Cheers!!!

Vaib...

csawest.dc · ‎12-22-2009

Dear Ganesh,

I made bellow mention configure templates of three different location customers in cisco 3550 for three different ports. 3 , 4 , 5.

should i need to apply on interface ip access-group sanchar in ( on port 3 ) ??

ip access-group AD in (on port 4) ??

ip access-group TELECOM in (on port 5) ??

bcz if port 3 (sanchar) customers given by mistake ip address range of AD DSLAM they are access 172.16.0.1 and 2 i think cause they are in same VLAN.

bcz if they are given (port 3 customers) ip address of port 4 ip range that time they dont allow to access both the server. or port 5 users if given ip address range of port 3 that time they also need to deny to access both the server.

For Sanchar DSLAM ( port 3)

ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

FOr AD DSLAM (port 4)

ip access-list extended AD
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 2
-map#match ip address AD
-map#action forward

For TELECOM DSLAM

ip access-list extended TELECOM
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.32.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.32.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 3
-map#match ip address TELECOM
-map#action forward

Vlan filter Permittedips vlan-list 2

Thanks in ADV,

Vaib...

Ganesh Hariharan · ‎12-22-2009

Hi Vaibhav,

As per applying VACL it only applies in VLAN not in any port like normal acl and as you have already stated all your ports are in same vlan that is 2.

so as per the configuration below three ACL will be checked sequence wise once you apply that vlan access map in vlan 2.

I will just clear with one of the example of your config:-

ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

Vlan filter Permittedips vlan-list 2

Above sample config will work when ever there is traffic from permiited source ip in vlan 2 to specific destination will be permitted and all other will be denied.

All the traffic coming in into vlan 2 will go through vlan access map with matched ip access list and if matched there action will be taken as per the Vlan access map.

Hope that clear your doubt and query !!

Regards

Ganesh.H

csawest.dc · ‎12-22-2009

Dear Ganesh,

but sir if suppose port 3 customers (sanchar) given ip address of port 4 range (AD) ok after they are also access both the server ok

i need if port 3 customers given by mistake ip address of port 4 range then they are not access to both the server thats why i need to

apply ip access-group xxxx in command.

what you suggest to me ??

Pl guide me.

Thanks in ADV,

Vaib...