cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
0
Helpful
2
Replies

Global ACL does not activate

ciaranmurphy1
Level 1
Level 1

Hi Folks,

 

I've been out of the networking world for a few years and am slowly getting back into it.One thing that is currently causing me a slight bit of grief is a set of access-lists I'm trying to apply.

When planning this I never gave it a second thought as I had configured these a long time ago and never posed any complication. I know I'm gonna kick myself as it has to be something very simple.

 

basically here is an example of my basic requirements

 

I have 2 computers connected on the one switch I want to prevent either computer from connecting to the other on all protocols, these computers must be able to connect to other resources on the LAN.

I had tried adding specific IP and MAC global access lists

Extended IP access list IP_BLOCK_1
    10 deny tcp host 123.123.123.2 host 123.123.123.3
    20 deny tcp host 123.123.123.3 host 123.123.123.2
    30 deny udp host 123.123.123.3 host 123.123.123.2
    40 deny udp host 123.123.123.2 host 123.123.123.3
 

Extended MAC access list MAC_BLOCK_1
    deny   host 12ab.12cd.12ef host 13ab.13cd.13ef

    deny   host 13ab.13cd.13ef host 12ab.12cd.12ef

 

All interfaces are on Vlan 2 and VLan 2 has been given an IP address of 123.123.123.6

I have tried deny any any but both computers are still able ot connect, someone please put me out of my misery :-)

 

Switch model

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 50    WS-C2960-48TC-S    12.2(55)SE5           C2960-LANLITEK9-M

 

Do I need to enable anything to allow ACL's to be active? I didn't think there were prerequisets for gobal ACL's but as it's been so long.........

 

thanks for your time

 

 

1 Accepted Solution

Accepted Solutions

Renan Abreu
Cisco Employee
Cisco Employee

Hi ciaranmurphy1,

 

     If they are connected to the same switch, you can configure switchport protected, take a look at the link below.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863

     It looks similar to private VLANs isolated ports, but it is simpler to configure and it works only within the same switch.

 

View solution in original post

2 Replies 2

Renan Abreu
Cisco Employee
Cisco Employee

Hi ciaranmurphy1,

 

     If they are connected to the same switch, you can configure switchport protected, take a look at the link below.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863

     It looks similar to private VLANs isolated ports, but it is simpler to configure and it works only within the same switch.

 

well it official, I am the worlds biggest wally.

 

the issue was that the packets from both computers weren't traversing this switch after all. Both computers are actually servers with multiple NICs. I thought I had the LAN routing set up correctly on the servers but I did not. So the connection was going over a different link that was on another NIC on the servers. Should have seen this way sooner, sorry for wasting you time.

 

btw the port blocking is working perfectly thank you for that recommendation

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: