Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Switch ACL

Good Evening,

I am attempting to create an ACL to block all traffic from WorkstationA to WorkstationB but allow everything else through.  In this environment I only have rights to modify the configuration on SwitchB which is a 3750x running an IPbase image. I have already given this a few shots but I can't seem to get this one.

Here is an example:

I have tried the following on switch B:

ip access-list extended BLOCKA

deny ip host 192.168.1.20 any

permit ip any any

----

(conf int port that WorkstationB resides on)

ip access-group BLOCKA in

 

Is there any way to make this work when you only have access to SwitchB in this example?

Thank you in advance!

6 REPLIES
Gold

Hi,

Hi, Try applying the acl on the interface of router B that connect to router A. As per your acl the source is workstation A IP address and this will have to be blocked as it enter router B as you have placed acl inbound direction. Hope that helps. Regards Najaf
New Member

Thank you for the reply Najaf

Thank you for the reply Najaf.  Unfortunately I only have access to configure SwitchB.  I have no control over any other devices in the topology.  Any other ideas? 

Gold

Sorry,My mistake. I read as

Sorry,

My mistake. I read as you have access to router B and not switch B :-(

Since you have your switch configured as L2 your acl will not have any affect

 

 

VIP Super Bronze

Hi,Is switch-B a layer-2 or a

Hi,

Is switch-B a layer-2 or a layer-3 device?

If it is layer-2, your ACL is not going to block host-A

HTH

New Member

Thank you for the reply Reza.

Thank you for the reply Reza.  This 3750x is running IPBase image but is not really performing any Layer 3 functions.  It is just hanging off of RouterB which is handling all layer 3.

New Member

u shud use vlan acl (vacl) to

u shud use vlan acl (vacl) to achieve d desired result on switch. since it is 3750-x it supports vacl.

config can b as follows:

 

ip access-list extended BLOCK_A

permit ip source dest

 

ip access-list extended PERMIT_ANY

permit ip any any

 

vlan access-map A_To_B 10

match ip address BLOCK_A

action drop

 

vlan access-map A_To_B 20

match ip address PERMIT_ANY

action forward

 

vlan filter A_To_B vlan-list source vlan id

 

Relpy me if it solves ur issue

 

57
Views
0
Helpful
6
Replies