Re: Port-ACL's on a 3750 - question

sillyfrank · ‎03-01-2006

I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.

Will this work:

If I have (bad ascii net diagram):

[hosta]--[rtr]--[switcha]-WAN-[switchb]

I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:

ip access-list 101 permit tcp any any eq 1000

ip access-list 101 permit tcp any any eq 2000

ip access-list 101 permit tcp any any eq 3000

and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?

Thanks!

-Frank

balajitvk · ‎03-01-2006

Yes frank, Your idea seems to be okei.

As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.

while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.

so nothing looks preventig the return traffic.