Cisco Support Community
Community Member

3560 ACL issues

Good day all,

Hopefully this is the right forum to ask my question?

Here it goes,

I have a 3560 switch attached to a 1941 router. The router does not below to us but is used for another organization to have access to our network. There is a static internal IP address that we have provided to this organization to allow access to our network. Unfortunately we are seeing ip address that are internal to their network coming into our network. I know the first thing would be to talk to the organization and get the to fix this issue, unfortunately they don't see this as an issue. Do to the nature of the connection (must be connected) I cannot just pull the plug. So my next best idea was to put in place a ACL only allow access into our network from the specific ip address we gave them. That way they would be forced to NAT their ip's into our network. The acl I put in place is fairly simple.

access-list 101 permit ip any log

The connection to the router is through G0/18, so I place the access-group 101 in on that port. I then have an IDS system that captures all traffic on the network through port spanning. I am still seeing the traffic from their internal network

I'm not sure why the ACL isn't preventing other traffic from coming into our network through their router?

Any help would be great.



Everyone's tags (3)

3560 ACL issues

Hi Stacey,

Please have an access-list like the below.

access-list 101 permit ip host any

access-list 101 deny ip any any


int gig 0/18

ip access-group 101 in


This should work when you have the routed interface. If you have the VLAN's configured for the router connecting interface. Then you may need to have the VLAN ACL to achieve this.

Please do rate if the given information helps.



Re: 3560 ACL issues

Hi There Stacey

How are you doing today? Before I begin, I'm assuming you've the sdm template routing enabled in your Cisco Catalyst 3560

What I would suggest you to do is to configure port based ACL in your Cisco Catalyst 3560. In your interface GigabitEthernet 0/8, you can configure ACLs as shown below;


vlan 20

name VLAN0020


interface Vlan20

ip address


int GigabitEthernet 0/8

description ### Link to Cisco ISR 1941 Router FE0/1 ###

switchport mode access

switchport access vlan 20

ip access-group 100 in


access-list remark ### To allow only to access into internal LAN ###

access-list 100 permit ip host any

access-list 100 deny ip any any log


Even though my solution works for you, this really isn't good enough based on Cisco SAFE's best practises and guidelines. You'll need to enable other Cisco technologies in your Cisco Catalyst 3560 such as storm-control, QOS (Policing, NOT Shaping and NOT Prioritization) etc. as well. This is to ensure and limit the possibility of DOS/DDOS attack coming from devices that belongs to the "other" organization (NAT-ted as IP to your internal servers/resources. After all, I bet you've no clue how secure is their LAN, am I right?

The above-mentioned solution is something that I would like to call merely, a workaround. The "best" solution here is to place a Cisco FW (running in transparent mode) sitting right smack in between both the Cisco ISR 1941 Router and the Cisco Catalyst 3560 Switch. In your Cisco FW, you could then include other service modules e.g. AIP-SSM, CSC-SSM to further protect your LAN from the "other" organization.

Last but not least, you might wanna capture a network performance benchmark between the LAN from the "other" organization to your LAN i.e. using tools such a iPerf (Freeware), assuming you don’t have one. This is because, it will come a time, when LAN users from the "other" organization will complain that accessing the network resources situated in your LAN is “slow”. To troubleshoot this isn't gonna be easy as slowness could be due to many reasons e.g. their LAN, the WAN Link, your LAN, the servers itself etc. Get this network performance benchmark done immediately, so that you can rule out your LAN being the culprit should such complains come in, the near future. Mind you, it will come, I know :-)

P/S: If you think this comment is useful, please do rate it nicely :-)     

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content