Extended Access-list help in cisco 3550

Answered Question
May 1st, 2010

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 7 months ago

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

Correct Answer by Jon Marshall about 6 years 7 months ago

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 05/01/2010 - 02:36

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

Correct Answer
Ganesh Hariharan Sat, 05/01/2010 - 08:33

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

csawest.dc Sun, 05/02/2010 - 00:50

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Ganesh Hariharan Sun, 05/02/2010 - 07:58

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Hi Vaibhav,

As your requirement in the above thread was

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4and same thing on port 4 . 

so i would suggest you to configure extended acl with destination mentioned for specific source ip address.

Hope to Help !!

Ganesh.H

Actions

This Discussion