How can I Block Traffic on Trunk Port - Pls help.

Unanswered Question
Jan 12th, 2010

Dear Experts,

I am attaching snap for your reff.....

I want to block traffic at Trunk between two Distribution.

Only specific Traffic from Backbone I need to allow on 2nd Distribution and below NW. How can I do this pls help.

I need that only

10.0.0.1 to 10.0.0.10 can access 10.0.254.0 segment

10.0.190.50 can access 10.0.254.0 segment

10.0.255.0 segment can access 10.0.254.0 segment

Rest of Traffic can not access  10.0.254.0 segment

I can not apply acl on Dist 2 sw as it is Nortel 1612 Switch.

I want to apply ACL on Dist 1  downlink port.

Please Help .

Dipesh P.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 01/12/2010 - 09:59

Hello Dipesh,

you should be able to apply an extended ACL on the SVI L3 vlan interface of distribution device.

Eventually you may need to apply more different ACLs to different SVIs

ps: I wish you an happy new year!

Hope to help

Giuseppe

prakadeesh Wed, 01/13/2010 - 02:18

Hi guiseppe/dipesh,

              If the dist switch has access to the vlan info ( I mean L2) , wouldnt a Vlan acl on that particular Vlan segment(10.0.254.0), provided it is a separate vlan, also address the issue. to stand corrected.

thanks,

Prakadeesh

Dipesh Patel Wed, 01/13/2010 - 10:31

hi,

Happy New year to you also.

Yes, If I will apply ACL on SVI on Dist 2 than its work but my problem is that Dist 2 is Nortel Sw and can not apply ACL on SVI. So I need to block traffic by applying CL on Trunk port of Dist 1.

E.G.

Dist 1 UPLINK Info:

Gi0/25 --- Uplink trunk from Backbone SW

Gi0/26 --- Downlnk to Dist 2 (Nortel with e.g. 10.0.2.0/24 Segment.)

Now on Nortel SW I can not do anything. So I need to block traffic to reach 10.0.2.0 / 24 segment vlan which is created on Nortel switch.

I had tried one acl and allied on trunk gi0/26 inward direction but there is no effect of it.

ACL :

ip accesslist extended TEST

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.1

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.10

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.115

permit ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255

permit udp any any

Int Gi0/26

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2

switchport trunk native vlan 2

ip  access-group TEST in

but it is not working. There is no effect of it.

Dear all, Pls suggest how can i do it. Is any thing missing in my ACL config?

Pls suggest.

Dipesh P.

rdseayjr1 Tue, 11/29/2016 - 18:40

I know that this is old, but the issue is likely that you applied the access list in the wrong direction. Most likely would have needed to place the access list on the port accessing the network you want to restrict access from out. 

Ganesh Hariharan Wed, 01/13/2010 - 02:41

Hi,

For your problem i would suggest you to configure port based ACL in switches.Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.

Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.

When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved—that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.

Check out the below link for configuring port based ACL hope that helps out your query !!

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1119764

Regards

Ganesh.H

Dipesh Patel Thu, 01/14/2010 - 08:19

Dear Ganesh / Guisler,

I understand Port Based ACL and tried to implement  as shown in previous post. But it is not working.

Can you help me to make it? Is there any error in it.

Regards,

Ganesh Hariharan Fri, 01/15/2010 - 03:18

Hi Dipesh,

As per your requirement below

10.0.0.1 to 10.0.0.10 can access 10.0.254.0 segment

10.0.190.50 can access 10.0.254.0 segment

10.0.255.0 segment can access 10.0.254.0 segment

and as per the diagram traffic segment 10.0.0.1 to 10.0.254.0 is coming in different port,10.0.190.50 is coming in different ports and 10.0.255.0 is coming in  different port.

I would suggest you to create three different ACL and apply these acl in in direction of the ports from where they are entering the distribution switch.

Hope that clears your query !!

Regards

Ganesh.H

Actions

This Discussion