Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
10
Helpful
6
Replies

Catalyst 3560 routing for network boot

Go to solution
bighostlv
Level 1
Level 1

‎04-17-2014 12:00 PM - edited ‎03-07-2019 07:08 PM

Hi guys,

I'm a Cisco noob so please forgive me if I'm asking stupid questions :)

I have a Cisco Catalyst 3560 in my lab and it's currently a single VLAN set up with all 48 interfaces in it. The switch receives static IPs from the router and as far as I understand is not doing any routing by itself. I'd like to run my own tftp server available only to the servers on this switch (for network boot).

So what I probably need this switch to run is some kind of an internal network i.e. 10.10.2.0 so I'd be able to reach the servers on this switch both via an external IP xxx.xxx.xxx.xxx and an internal one say 10.10.2.3 during the PXE boot.

So how should it be done and is it possible at all?

I hope I'm making myself clear and you got the idea. Please ask if you don't. :)

BR,

Paul

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pankaj kumar
Level 1
Level 1

‎04-17-2014 01:25 PM

What i understood is that you are running some servers on the switch and these servers are accessed by some external users

and you want that external user should only be able to use these server but no the TFTP server that you are running, this TFTP server should only be accessible by the servers on the switch.

If that what you are asking then you can use port ACL on the switch port where the TFTP server is running.These port ACL can be applied on the switch layer two interface and applied on in inbound direction.

View solution in original post

Go to solution
pankaj kumar
Level 1
Level 1
In response to bighostlv

‎04-17-2014 02:22 PM

Hi bighhostlv,

If you use port ACL it will work only for the particular interface but if you user VLAN ACL then only it will apply for all port in that VLAN .

Rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
pankaj kumar
Level 1
Level 1

‎04-17-2014 01:25 PM

What i understood is that you are running some servers on the switch and these servers are accessed by some external users

and you want that external user should only be able to use these server but no the TFTP server that you are running, this TFTP server should only be accessible by the servers on the switch.

If that what you are asking then you can use port ACL on the switch port where the TFTP server is running.These port ACL can be applied on the switch layer two interface and applied on in inbound direction.

Go to solution
bighostlv
Level 1
Level 1
In response to pankaj kumar

‎04-17-2014 01:44 PM

Ok, that's pretty close. I've tried this ACL thing before and the issue with me is that it applies the rules to the whole VLAN not the interface I need. I'm using Cisco Network Assistant perhaps that's the reason.

0 Helpful

Go to solution
pankaj kumar
Level 1
Level 1
In response to bighostlv

‎04-17-2014 02:22 PM

Hi bighhostlv,

If you use port ACL it will work only for the particular interface but if you user VLAN ACL then only it will apply for all port in that VLAN .

Rate helpful posts

0 Helpful

Go to solution
bighostlv
Level 1
Level 1
In response to pankaj kumar

‎04-17-2014 11:20 PM

For example, if I start the security wizard and choose a single interface (FastEthernet6 in this case) to block port 25 on I get this config:

Restricting Applications.
Creating ACL SecWiz_Fa0_6_in_ip based on provided criteria
Creating VLAN Map SecWiz_Vlan1
Applying VLAN Map
Applying VLAN Map SecWiz_Vlan1 to Vlan1

and when I click on Show CLI sequence:

Cisco1(config)# no vlan access-map SecWiz_Vlan1 10
Cisco1(config)# no ip access-list Extended SecWiz_Fa0_6_in_ip
Cisco1(config)# ip access-list extended SecWiz_Fa0_6_in_ip
Cisco1(config-ext-nacl)# deny tcp any any eq 25
Cisco1(config-ext-nacl)# permit ip any any
Cisco1(config-ext-nacl)# exit
Cisco1(config)# vlan access-map SecWiz_Vlan1
Cisco1(config-access-map)# 10 match ip address SecWiz_Fa0_6_in_ip
Cisco1(config-access-map)# 10 action forward
Cisco1(config-access-map)# exit
Cisco1(config)# vlan filter SecWiz_Vlan1 vlan-list 1

after I apply the changes port 25 gets blocked on the entire switch. I believe it will be the same for what I'm trying to do now.

 

0 Helpful

Go to solution
pankaj kumar
Level 1
Level 1
In response to bighostlv

‎04-18-2014 04:10 AM

suppose following is the topolog

now you create a ACL to allow only R2 to take telnet of R1 and block R3 to take the telnet of R1 similiarly you can do it for TFTP UDP port No 69

All device are in same VLAN

 

SW1(config)#access-list 101 permit tcp host 10.1.1.1 eq 23 host 10.1.1.2

SW1(config)#access-list 101 deny tcp host 10.1.1.1 eq 23 any

SW1(config)#access-list 101 permit ip any any

SW1(config)#int fa0/1

SW1(config)#ip access-group 101 in

 

this works and i have check you can use for UDP traffic port no 69 for TFTP

D'not forgot to Rate the Help full posts

Preview file
20 KB

Go to solution
bighostlv
Level 1
Level 1
In response to pankaj kumar

‎04-18-2014 10:18 AM

Ok, thanks a million will try this one.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card