05-01-2010 12:57 AM - edited 03-06-2019 10:53 AM
Dear Experts,
Please help me regarding Extended Access-list.
We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.
our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48
all the port in same VLAN include interface port 1 & 2 also.
in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.
We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)
interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)
ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550
we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4
and same thing on port 4 .
but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.
we are able to apply in my switch on interface ( ip access-group abc in ) only not out.
So how can i do this.
Please help me.
Thanks in ADV,
Vaib...
Solved! Go to Solution.
05-01-2010 02:36 AM
Vaib
Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.
Could you clarify why an inbound port acl is not enough ?
Jon
05-01-2010 08:33 AM
Dear Experts,
Please help me regarding Extended Access-list.
We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.
our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48
all the port in same VLAN include interface port 1 & 2 also.
in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.
We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)
interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)
ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550
we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4
and same thing on port 4 .
but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.
we are able to apply in my switch on interface ( ip access-group abc in ) only not out.
So how can i do this.
Please help me.
Thanks in ADV,
Vaib...
Hi Vaibhav,
As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.
Check out the below link for acl implementation
Hope to Help !!
Ganesh.H
05-01-2010 02:36 AM
Vaib
Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.
Could you clarify why an inbound port acl is not enough ?
Jon
05-01-2010 08:33 AM
Dear Experts,
Please help me regarding Extended Access-list.
We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.
our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48
all the port in same VLAN include interface port 1 & 2 also.
in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface to authenticate both the the server then access internet.
We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)
interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)
ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550
we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4
and same thing on port 4 .
but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.
we are able to apply in my switch on interface ( ip access-group abc in ) only not out.
So how can i do this.
Please help me.
Thanks in ADV,
Vaib...
Hi Vaibhav,
As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.
Check out the below link for acl implementation
Hope to Help !!
Ganesh.H
05-02-2010 12:50 AM
Dear Jon , Ganesh,
Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.
for port 3
swtich(config)#ip access-list starndard abc
switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255
switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255
for port 4
switch(config)#ip access-list standard xyz
switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255
switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255
then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )
these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.
Thanks once again!!!
Cheers!!!
Vaib...
05-02-2010 07:58 AM
Dear Jon , Ganesh,
Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.
for port 3
swtich(config)#ip access-list starndard abc
switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255
switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255
for port 4
switch(config)#ip access-list standard xyz
switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255
switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255
then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )
these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.
Thanks once again!!!
Cheers!!!
Vaib...
Hi Vaibhav,
As your requirement in the above thread was
we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4and same thing on port 4 .
so i would suggest you to configure extended acl with destination mentioned for specific source ip address.
Hope to Help !!
Ganesh.H
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: