12-19-2009 02:48 AM - edited 03-06-2019 09:01 AM
Dear Experts,
I need deny ip address range on per interface in cisco 3550 48P switch. by name access-list.
My diagram as given bellow.
interface Port 1 uplink
interface Port 2 uplink
interface port 3 to 48 connected with different IP DSLAMs to different customers.
interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254
all the interface ports are in same VLAN (Vlan-2)
I need on interface port 3 deny ip range 172.16.51.1 to 254(which is port 4 customers) and 172.16.49.1 to 254 (which is port 5 customers)
on interface port 4 deny ip range 172.16.47.1 to 254(which is port 3 customers) and 172.16.49.1 to 254 (which is port 5 customers)
on interface port 5 deny ip range 172.16.47.1 to 254(which is port 3 cus) and 172.16.51.1 to 254 (which is port 4 cus)
how can i make name access-list to deny ip address on per interface.
we assigned all ip address to customers pc not in cisco 3550 switch.
so how can i deny ip address by access-list. inter port 3 deny ip range of inter port 4 and 5 and on interface port 4 deny ip range of port 3 and 5.
so please hlp me regarding above mention details.
Thanks in ADV,
Vaib...
Solved! Go to Solution.
12-21-2009 01:25 AM
Hi Vaibhav,
check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.
IP access-list extended client1port3
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
deny ip any any
conft#vlan access-map "Permittedips " 10
-map# match ip address client1port3
-map#action permit
For port 4
ip access-list extended client1port4
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map "Permittedips" 20
-map#match ip address client1port4
-map#action permit
For port 5
ip access-list extended client1port5
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map "Permittedips" 30
-map#match ip address client1port5
-map#action permit
Vlan filter Permittedips vlan-list2
Hope this helps out your problem !!
Regards
Ganesh.H
12-23-2009 11:09 PM
Hi Vaibhav,
It should work, just check for deny mac-address as you are applying on all interface because acl permitted ip is not having the same mac-address.
Before doing nay changes take complete backup of the switch and also have roll back plan in hand.
All the best !!
Regards
Ganesh.H
12-19-2009 03:44 AM
access-list extended badabing
permit ip any 10.16.47.0 0.0.0.255
int f0/3
access group badabing out
access-list extended badaboom
permit ip any 10.16.51.0 0.0.0.255
int f0/4
access-group badaboom out
access-list extended kapow
permit ip any 10.16.49..0 0.0.0.255
int f0/5
access-group kapow out
There's an explicit deny any any at the end so the ACLs allow only the IP address you want and the rest is denied.
Message was edited by: leolaohoo
12-19-2009 06:26 AM
Hi Vaibhav,
I have few query as you said you want to deny ip address as per the ip address on per port basis bu as per your below statement:-
My diagram as given bellow.
interface Port 1 uplink
interface Port 2 uplink
interface port 3 to 48 connected with different IP DSLAMs to different customers.
interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254
all the interface ports are in same VLAN (Vlan-2)
All these ports are L2 ports and are assigned to vlan 2 or all these ports are assigned with an ip address in the above mentioned range.
Please clarify !!
Regards
Ganesh.H
12-19-2009 11:06 PM
Dear Ganesh,
All these ports are L2 ports and are assigned to vlan 2 only, no assigned ip address on vlan2 interface cause all the ports connected with different Location IP DSLAM with different IP addresses.
cisco 3550 port 1 is uplink from billing server-1 ip 172.16.0.1
cisco 3550 port 2 is uplink from billing server-2 ip 172.16.0.2
and other interface from 3 - 48 ports connected with IP DSLAM as a uplink at different location
we need if interface port 3 customers ip 172.16.47.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other inter port ip needs to deny
interface port 4 ip 172.16.51.1 to 254 and both server ip 172.16.0.1 & 172.16.0.2 allow and other iner port needs to deny.
So pl help me how can make this.
all the ip address are assigned at customers pc only not in vlan interface or interface port.
Thanks in ADV,
Vaib...
12-20-2009 04:24 AM
Hi Vaibhav,
As per my understanding all ports are in same vlan2 but each port is connected with different ip subnet.
Try configure vlan access map for permitting certain traffic inside a vlan and denying rest.
Check out the below link hope this helps
Regards
Ganesh.H
12-20-2009 09:41 PM
Dear Ganesh,
Thanks for your great help,
But unfortunately i dont understand how can i configure VLAN map in cisco 3550 in global mode and also interface mode.
in this switch port 1 as a uplink from billing server 1 (ip 172.16.0.1) , interface port 2 as a uplink from billing server 2 (ip 172.16.0.2)
My requirement is switchport from 3 to 48 users needs to access both the server ok.
interfface port 3 to 48 users ip pool is different and it's assigned their pcs only.
all the interface from 1 to 48 have access vlan 2 only.
interface port 3 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers (172.16.47.1 to 254) and other ip address needs to deny.
interface port 4 access permitt only ip both the server (172.16.0.1 and 172.16.0.2) and their customers (172.16.51.1 to 254) and other ip address needs to deny.
so pl hlp me regarding above mention details.
Thanks in ADV,
Vaib...
12-20-2009 10:18 PM
Hi Vaibhav,
As you said all switch ports are in same vlan 2 rite but ip address connected to ports from 3 to 48 are different.
Create access-list for every subnet let me share you one of the example:-
IP access-list extended client1port3
permit ip 172.16.47.0/24 172.16.0.1
permit ip 172.16.47.0/24 172.16.0.2
conft#vlan access-map "Serverpermit "
-map# match ip address client1port3
-map#action permit
vlan filter Serverpermit vlan-list 2
The above vlan access map need to be applied in vlan 2 and it will permit only to two servers only and rest will be denied.so for every subnet you need to creat access list and in the above manner just permit them for specific server as implicit deny will be there so no other can communicate.
Hope this will help your query !!
Regards
Ganesh.H
12-20-2009 11:06 PM
Dear Ganesh,
Dear Sir, i again confuse (sorry for that ) ,cause u said i need to apply on vlan interface 2.
IP access-list extended client1port3
permit ip 172.16.47.0/24 172.16.0.1
permit ip 172.16.47.0/24 172.16.0.2
conft#vlan access-map "Serverpermit "
-map# match ip address client1port3
-map#action permit
vlan filter Serverpermit vlan-list 2
The above vlan access map need to be applied in vlan 2 but sir all the port are access trhorug vlan 2 (port 1 to 48) this above vlan access-map "serverpermit" needs to apply on vlan 2 for port 3 only. and for other from 4 to 48 ?? apply access-map on interface vlan 2 ?? how can ??
Can i do this ?? for port 3
IP access-list extended client1port3
permit ip 172.16.47.0 0.0.0.255 any
permit ip 172.16.0.1 0.0.0.0 any
permit ip 172.16.0.2 0.0.0.0 any
deny ip any any
and apply to this access list on int port 3 ???
for port 4
ip access-list extended client1port4
permit ip 172.16.51.0 0.0.0.255 any
permit ip 172.16.0.1 0.0.0.0 any
permit ip 172.16.0.2 0.0.0.0 any
deny ip any any
and apply to this access-list on port 4 ??
Please let me know
Thanks in ADV,
Vaib...
12-20-2009 11:17 PM
Hi Vaibhav,
Vlan access map applies only on vlan,as per your requirenment all your ports are in common vlan that is vlan no 2 and having different ip subnet coming to the switch port.
create an extended ip access list for port3 ip subnet just permitting for two servers only and rest will be denied.
IP access-list extended client1port3
permit ip 172.16.47.0/24 host 172.16.0.1
permit ip 172.16.47.0/24 host 172.16.0.2
conft#vlan access-map "Serverpermit "
-map# match ip address client1port3
-map#action permit
vlan filter Serverpermit vlan-list 2
As soon as you deploy the above config in vlan 2 it will permit ip subnet 172.16.47.0/24 to allow talk with uplink servers only and rest will be denied.
So before applying the vlan access-map kindly check the acl throughly for all subnet otherwise traffic will be denied as an implicit deny statement.
As you can see in bold vlan access-map is applied to vlan in the switch.
Hope this helps
Regards
Ganesh.H
12-20-2009 11:48 PM
Dear Ganesh,
Pl check my bellow mention templates for port 3 , 4 , and 5
for port 3
IP access-list extended client1port3
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
deny ip any any
conft#vlan access-map "Serverpermit3 "
-map# match ip address client1port3
-map#action permit
vlan filter Serverpermit3 vlan-list 2
For port 4
ip access-list extended client1port4
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map serverpermit 10
-map#match ip address-clientport4
-map#acetion permit
for port 5
ip access-list extended client1port5
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map serverpermit 20
-map#match ip address-clientport5
-map#acetion permit
Vlan filter serverpermit vlan-list2 (for all port from port 3 to 48)
please check my above configure templates it is right or needs to do any changes ??
Thanks in adv,
Vaib...
12-21-2009 01:25 AM
Hi Vaibhav,
check out the below config just add sequence number also when depoloying the vlan access map and vlan access map need to same for all acl as sequence number will followed for the acl.
IP access-list extended client1port3
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
deny ip any any
conft#vlan access-map "Permittedips " 10
-map# match ip address client1port3
-map#action permit
For port 4
ip access-list extended client1port4
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.51.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map "Permittedips" 20
-map#match ip address client1port4
-map#action permit
For port 5
ip access-list extended client1port5
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map "Permittedips" 30
-map#match ip address client1port5
-map#action permit
Vlan filter Permittedips vlan-list2
Hope this helps out your problem !!
Regards
Ganesh.H
12-21-2009 04:19 AM
Dear Ganesh,
Thanks you very much for your extreamly great support i am very much appreciate about that.
Now i will try to do this within couple of days and then let you know what happend.
Thanks Once again!!!
Cheers!!!
Vaib...
12-22-2009 09:33 PM
Dear Ganesh,
I made bellow mention configure templates of three different location customers in cisco 3550 for three different ports. 3 , 4 , 5.
should i need to apply on interface ip access-group sanchar in ( on port 3 ) ??
ip access-group AD in (on port 4) ??
ip access-group TELECOM in (on port 5) ??
bcz if port 3 (sanchar) customers given by mistake ip address range of AD DSLAM they are access 172.16.0.1 and 2 i think cause they are in same VLAN.
bcz if they are given (port 3 customers) ip address of port 4 ip range that time they dont allow to access both the server. or port 5 users if given ip address range of port 3 that time they also need to deny to access both the server.
For Sanchar DSLAM ( port 3)
ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward
FOr AD DSLAM (port 4)
ip access-list extended AD
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map Permittedips 2
-map#match ip address AD
-map#action forward
For TELECOM DSLAM
ip access-list extended TELECOM
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.32.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.32.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map Permittedips 3
-map#match ip address TELECOM
-map#action forward
Vlan filter Permittedips vlan-list 2
Thanks in ADV,
Vaib...
12-22-2009 10:09 PM
Hi Vaibhav,
As per applying VACL it only applies in VLAN not in any port like normal acl and as you have already stated all your ports are in same vlan that is 2.
so as per the configuration below three ACL will be checked sequence wise once you apply that vlan access map in vlan 2.
I will just clear with one of the example of your config:-
ip access-list extended Sanchar
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0 0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0 0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0 0.0.0.255 host 172.16.0.2
deny ip any any
config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward
Vlan filter Permittedips vlan-list 2
Above sample config will work when ever there is traffic from permiited source ip in vlan 2 to specific destination will be permitted and all other will be denied.
All the traffic coming in into vlan 2 will go through vlan access map with matched ip access list and if matched there action will be taken as per the Vlan access map.
Hope that clear your doubt and query !!
Regards
Ganesh.H
12-22-2009 10:24 PM
Dear Ganesh,
but sir if suppose port 3 customers (sanchar) given ip address of port 4 range (AD) ok after they are also access both the server ok
i need if port 3 customers given by mistake ip address of port 4 range then they are not access to both the server thats why i need to
apply ip access-group xxxx in command.
what you suggest to me ??
Pl guide me.
Thanks in ADV,
Vaib...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: