Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Is it possible to configure 3560 switch to allow only specific host to have access to all VLANs ????

Dears,

I have configured the following VLANs on my 3560 Cisco switch :

  • VLAN 30
  • VLAN 40
  • VLAN 50

InterVlan routing is allowed between them, however I want to configure the switch to let specific host to have access to all VLANs while all other Hosts to only have connectivity to the members in their VLANs only. 

Any suggestions ???

Best Regards,

Begad Ahmed

 

21 REPLIES
New Member

ACL?! 

ACL?!

 

New Member

Yep, Agree. VACL is the only

Yep, Agree. VACL is the only thing I can think of.

New Member

yep extended ACL can work,

yep extended ACL can work, like if you are using Vlan interfaces on the same switch for inter-vlan routing; you can apply your extended ACL on Vlan interface and if you are using a router for inter-vlan routing (router on a stick), you can apply your ACL there at router.

New Member

thanks all for your feedback.

thanks all for your feedback. I want to create the ACL based on the mac address of the host that should have access to all VLANs. Is it possible ???

 

Best Regards,

Begad Ahmed

 

New Member

you can assign them static IP

you can assign them static IP addresses or you can bind their MAC addresses to specific IP addresses and then use those IP in your ACL ....

Hope it helps

New Member

Actually, I cannot use static

Actually, I cannot use static IP address, as this host will be moving between VLANs but every time it is connected to any of the VLANs, I want him to have access to all VLANs (30, 40 & 50) 

For example, if this host connected to VLAN 30, it will have IP address in the range of 10.0.30.0/24, and if it is connected to VLAN 40, it will have IP address in the range of 10.0.40.0/24.

That's why I want to configure the ACL based on the mac address 

 

Best Regards,

Begad Ahmed

 

 

New Member

yes you can try that in your

yes you can try that in your scenerio ... one IP per host/MAC in each vlan

New Member

How can I configure an ACL

How can I configure an ACL based on the mac address to fulfill my requirement ???

 

please advice ??!!
 

Best Regards,

Begad Ahmed

 

New Member

As far as i know acl will be

As far as i know acl will be ip based. And you can only specify ip addresses to access specific ip in cisco 3560. How many vlans you have? if two, then its not much of an effort....

u can try :

u can try :

Switch(config)# mac access-list extended simple-mac-acl

 

Switch(config-ext-macl)# permit host 000.000.011 any


Switch(config)# interface gigabitEthernet 6/1

 

Switch(config-if)# mac access-group simple-mac-acl in/out

 

New Member

Thanks for the info. ... I

Thanks for the info. ... I never tried that before, will try now!

:)

when I checked the reply

when I checked the reply chain, maybe private vlans are a way for you?

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

 

New Member

This will work if the

This will work if the filtering is based on IP address ( i think it will be a good choice compared to MAC based)


Let say that special host is 192.168.30.100 from VLAN 30
and networks are

vlan 30 - 192.168.30.0/24
vlan 40 - 192.168.40.0/24
vlan 80 - 192.168.50.0/24

ip access-list 101 permit host 192.168.30.100 any
ip access-list 101 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list 101 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list 101 permit 192.168.50.0 255.255.255.0 192.168.50.0

route-map RM_101 permit 10
 match ip address 101

int vlan 30
 ip policy route-map RM_101

int vlan 40
 ip policy route-map RM_101

int vlan 50
 ip policy route-map RM_101

 

Hope this will help you somehow.

P.S: Pls mark it correct answer if so..

 

Regards

Suresh

New Member

This is exactly what I want

This is exactly what I want to do, but I want to configure the ACL based on the MAC address of the host, as I don't want to configure static IP address for this Host.

Is it possible ???

 

Best Regards,

Begad Ahmed

New Member

switch 3560(config)#mac

MAC BASED FILTERING will work if your ios supports # mac access-group  command under interfaces,

if so, create a mac access-list

switch 3560(config)#mac access-list extended TEST

switch 3560(config-ext-macl)#permit host H.H.H any

and apply on all three vlan interfaces like

switch 3560(config)#interface vlan 30

switch 3560(config-vlan)#mac access-group TEST in

switch 3560(config)#interface vlan 40

switch 3560(config-vlan)#mac access-group TEST in

switch 3560(config)#interface vlan 50

switch 3560(config-vlan)#mac access-group TEST in

this will permit that special mac to other macs (hosts) from other vlans also, rest will communicate with in vlan as an implicit  deny deny  will be there that will not allow any host out of that vlan.

If mac access-group not supported then it may not be possible on mac based or at least most complex.

then go for earlier

ip access-list ACL1 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list ACL1 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list ACL1 permit 192.168.50.0 255.255.255.0 192.168.50.0

#######   Here simple access-group under vlan interface will work but it feel good to use fancy configs like route-map #####

route-map RM_ACL1 permit 10
 match ip address ACL1

int vlan 30
 ip policy route-map RM_ACL1

int vlan 40
 ip policy route-map RM_ACL1

int vlan 50
 ip policy route-map RM_ACL1

------------------------

I think/guess this what you are looking for.

P.S: pls dont forget to mark as correct answer if so.

 

Regards

Suresh

 

New Member

Regarding the configuration

Regarding the configuration of VLAN maps, Will it allow the communication between hosts that are members in the same VLAN while allowing only my special host to access other VLANs ???

For example: If my special host assigned IP address in VLAN 30 (192.168.30.2), it will have access to other VLANs (40, 50) while all other hosts in VLAN 30 will not have access to VLAN (40, 50), However they can communicate with each others 

 

switch 3560(config)#mac access-list extended SPECIAL_MAC

switch 3560(config-ext-macl)#permit host H.H.H any    //// H.H.H will be ur special host mac address //////

switch 3560(config)# vlan access-map TEST 10

switch 3560(config-access-map)# match mac address SPECIAL_MAC

switch 3560(config-access-map)# action forward

switch 3560(config-access-map)# exit

switch 3560(config)# vlan filter TEST vlan-list 30-50

 

 

 

New Member

Just edited my last comment..

Just edited my last comment... pls refer it

New Member

actually, on cisco catalyst

actually, on cisco catalyst 3560 mac access-group command is supported only to apply it on layer 2 interface, while its supported for layer 3 interfaces on routers like 12k cisco router.

 

so in my case mac access-group command is not supported, accordingly do you think that the other approach of using VLAN maps as you mentioned earlier will fulfill my requirements.

 

 

switch 3560(config)#mac access-list extended SPECIAL_MAC

switch 3560(config-ext-macl)#permit host H.H.H any    //// H.H.H will be ur special host mac address //////

switch 3560(config)# vlan access-map TEST 10

switch 3560(config-access-map)# match mac address SPECIAL_MAC

switch 3560(config-access-map)# action forward

switch 3560(config-access-map)# exit

switch 3560(config)# vlan filter TEST vlan-list 30-50

 

New Member

i don't think so !as i said

i don't think so !

as i said that may be most complex solution as need to know all the mac address and need to apply permit/deny statements from one mac to other all macs in a particular vlan (this can be possible for few hosts like 5 to 10). 

So, better use IP based filtering solution provided earlier.

 

Regards

Suresh

New Member

Yes, it may be possible. You

Yes, it may be possible. You could configure a switchport for the host with switchport mode trunk and a subinterface for each vlan IF the NIC on the host supports trunking. I've seen file servers configured in this way, binding an IP address on the host for each subnet associated with the vlans. Just one possibility. HTH

 

New Member

hi tzunt,            As i

hi tzunt,

            As i mentioned filtering based on IP is possible and its so easy& clear.

            The method you explained may not work as sub interfaces can't created on 3560 instead of that only L3 SVI are used. But the solution will work in other way.

           Create trunk port allowing 30,40,50 vlans (the host NIC must support trunk/dot1Q) the  and rest of the interfaces as access port to required vlans accordingly. 

interface fast0/1
description ***port for special host***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 30-50
switchport mode trunk
!
interface fast0/2
switchport access vlan 30
switchport mode access
!
interface fast0/3
switchport access vlan 40
switchport mode access
!
interface fast0/4
switchport access vlan 50
switchport mode access

           Again we need to define svi interfaces for segregating networks (for allowing the specialhost to communicate between three vlans), then even though the access port hosts belongs to 30/40/50 vlans, they can communicate with each other as L3 communication takes places(routing will happen) which should not happen as per the requirement.

          So, what i think is ACL with IP based filtering will work flawlessly. 

         Pls Correct me if i am wrong.

 

Regards

Suresh

1968
Views
5
Helpful
21
Replies
CreatePlease to create content