Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACL on same subnet?

I have a single server to which I need to limit access. Without completely tearing down and rebuilding my network with proper segmentation (which I plan on doing next year) is there a way I can do this with my current equipment and layout? I have:

*1 subnet (192.168.0.1) for LAN which includes servers, printers, and PCs

*3548XL Catalyst switches

*1 2811 router

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL on same subnet?

Then things are a lot simpler.

Do you know which vlan all the ports are in on your 3548 switch ? Please post output of

3548# sh vlan

To then create a new vlan that is routed these are the basic steps

1) Choose a new IP subnet - eg. 192.168.5.0/24

2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811

int fa0/1

ip address 192.168.5.1 255.255.255.0

no shut

3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -

3548# vlan database

3548(vlan)# vlan 2 name server_vlan

3548(vlan)# apply

4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2

3548(config)#int fa0/1

3548(config-if)# switchport access vlan 2

5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.

These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).

After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.

If you need help with the access-lists once you have done the above let us know.

Jon

6 REPLIES

Re: ACL on same subnet?

Hello Quinton..

It is a tedious job to restrict access on layer 2.. you can use private VLANs, but you must be very sure of what traffic should flow between your end devices ! You can also use layer 2 or mac based vlans, but your switch seems to be too old for it ! try your luck.. see if you have "mac access-list" commands.. you can define these ACL's and apply it on the relevant port... This URL might help you:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

I think you can bifurcate the LAN, instead of doing this complex stuff, and get it going on Layer 3 access-controls..

Hope this helps.. all the best..

Raj

Community Member

Re: ACL on same subnet?

That's what I was afraid of, but thanks for the answer. Can you point me to a good explanation on creating VLANs for my subnet so I can get this thing segmented?

Hall of Fame Super Blue

Re: ACL on same subnet?

Quinton

Here is a document showing how to use a switch and subinterfaces on a router to create and route between 2 vlans. If you have spare interface(s) on your 2811 then you don't need subinterfaces but i'm assuming you don't. (Note if you do let us know as it's a lot simpler).

Scroll down to the table showing 802.1q support in catalyst switches to make sure you have the correct IOS on your 3548XL. Also the router in this example doc is a 2600 but your 2800 will be fine -

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

For each vlan you need a different IP subnet.

Jon

Community Member

Re: ACL on same subnet?

I'm not using the Fe0/1 on my 2811.

Hall of Fame Super Blue

Re: ACL on same subnet?

Then things are a lot simpler.

Do you know which vlan all the ports are in on your 3548 switch ? Please post output of

3548# sh vlan

To then create a new vlan that is routed these are the basic steps

1) Choose a new IP subnet - eg. 192.168.5.0/24

2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811

int fa0/1

ip address 192.168.5.1 255.255.255.0

no shut

3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -

3548# vlan database

3548(vlan)# vlan 2 name server_vlan

3548(vlan)# apply

4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2

3548(config)#int fa0/1

3548(config-if)# switchport access vlan 2

5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.

These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).

After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.

If you need help with the access-lists once you have done the above let us know.

Jon

Community Member

Re: ACL on same subnet?

Extremely helpful, thank you! I'll work on this and post any other questions.

1224
Views
5
Helpful
6
Replies
CreatePlease to create content