Solved: Extended Access-list help in cisco 3550 - Cisco Community

2174

Views

0

Helpful

4

Replies

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

2 Accepted Solutions

Accepted Solutions

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

View solution in original post

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

View solution in original post

4 Replies 4

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Hi Vaibhav,

As your requirement in the above thread was

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4and same thing on port 4 .

so i would suggest you to configure extended acl with destination mentioned for specific source ip address.

Hope to Help !!

Ganesh.H

Review Cisco Networking products for a $25 gift card