Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Extended Access-list help in cisco 3550

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Extended Access-list help in cisco 3550

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

Re: Extended Access-list help in cisco 3550

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

4 REPLIES
Hall of Fame Super Blue

Re: Extended Access-list help in cisco 3550

Vaib

Why do you need to apply the acl in an outbound direction ? For your requirements i would have though an inbound port acl would be enough. As you say the 3550 does not support port acls in the outbound direction.

Could you clarify why an inbound port acl is not enough ?

Jon

Re: Extended Access-list help in cisco 3550

Dear Experts,

Please help me regarding Extended Access-list.

We are using Cisco 3550 (48P) in our HQ , in this switch interface port 1 & 2 are connected to billing authentication server as a uplink.

our all users to authenticat to both the server then access internet which is conneted interface port 3 to 48

all the port in same VLAN include interface port 1 & 2 also.

in port 3 to 48 many users conneted in each interface aprox 40 users connected per interface  to authenticate both the the server then access internet.

We are given ip range per port wise e.g on interface port 3 ( ip range 172.16.45.1 to 254 and 172.16.46.1 to 254)

                                                              interfafe port 4 ( ip range 172.16.47.1 to 254 and 172.16.48.1 to 254)

ALL THE IP ADDRESS ASIGNED AT CUSTOMERS PC NOT CONFIGURE ON INTERFACE IN CISCO 3550

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4

and same thing on port 4 .

but if suppose bymisteke our customers when give ip range of interface 3 ( 172.16.45.1 to 254) which is connected on port 4 , i need to deny to access both the server only access visa-versa.

we are able to apply in my switch on interface ( ip access-group abc in ) only not out.

So how can i do this.

Please help me.

Thanks in ADV,

Vaib...

Hi Vaibhav,

As suggested by Jon , In bound ACL will do the job and easier for implementation and troubleshooting purpose.

Check out the below link for acl implementation

http://cisco.biz/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swacl.html

Hope to Help !!

Ganesh.H

New Member

Re: Extended Access-list help in cisco 3550

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Re: Extended Access-list help in cisco 3550

Dear Jon , Ganesh,

Thanks a lot to both of you. my problem is solved by stanard ACL pl see bellow config.

for port 3

swtich(config)#ip access-list starndard abc

switch(config-std-nac1)#permit 172.16.45.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.46.0 0.0.0.255

for port 4

switch(config)#ip access-list standard xyz

switch(config-std-nac1)#permit 172.16.47.0 0.0.0.255

switch(config-std-nac1)#permit 172.16.48.0 0.0.0.255

then apply on interface on port 3 ( ip access-group abc in) and port 4 ( ip access-group xyz in )

these ip address access on both host and internet only 172.16.0.1 and 2 and internet only.

Thanks once again!!!

Cheers!!!

Vaib...

Hi Vaibhav,

As your requirement in the above thread was

we required on interface port 3 users to acccess our both the servers ( 172.16.0.1 and 172.16.0.2) and access internet only and deny ip of interface port 4and same thing on port 4 . 

so i would suggest you to configure extended acl with destination mentioned for specific source ip address.

Hope to Help !!

Ganesh.H

1563
Views
0
Helpful
4
Replies
CreatePlease login to create content