Acl's on switches.

I have 5 subnets from my ISP.  I want to use a switch for routing 2960 or sf300-24p.  I just want to route one inside network to one outside subnet.  A point of sale system is setup on one static IP this VLAN would just need to conect to the one subnet on the outside.  If I turn on IP routing and create SVI's This will route between all subnets.  I also have a public emplolyee and management vlan.   They are on seperate static IP addresses. 
The three local networks will use private ip addressing.  How do I trananslate between the local private IP addresses and the designated address from the service providor.
An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1
192.168.2.0 Vlan 200 to route only isp address 2
192.168.3.0 vlan 300 to route only to isp address 3
The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.
How can I do this with a catlyst 2960 with lanbase firmware. 
Thanks

An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1192.168.2.0 Vlan 200 to route only isp address 2192.168.3.0 vlan 300 to route only to isp address 3The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.How can I do this with a catlyst 2960 with lanbase firmware.
Are you sure these are the only things you want to route? 
If yes, then a 2960 can do limited static routes if you upgrade to 12.2(55)SE2 and later.  You can enable routing if you change the SDM template to route. 

Similar Messages

  • How to put a comment(remark) into a certain line in ACL on L3 switch

    hello all,
    am I correct that for comments in access lists on L3 switches it is provided only so limited functionality, that it is possible only to put a remark at the end of existing rules list and no way to put a comment into a defined line, but only reapply the whole access list?!
    (config-ext-nacl)#remark ?
      LINE  Comment up to 100 characters
      <cr>
    Maybe other commands exist or special applications that can help with such important matter ?

    You're correct. Remark entries will be added in the order that you enter them, but can't be inserted with a sequence number. Any time I've needed to make changes to ACL remarks, the ACL has had to be deleted and re-created with the new entries.

  • WCCP ACL on 4506 switch

    Hi ,
    We have a cisco 4506 switch with the IOS version of 12.2-50.SG1. I would like to know whether any latest IOS version will support redirect ACL with the deny statement for WCCP on a client interface.
    Switch details:
    cisco WS-C4506-E (MPC8245) processor (revision 7) with 524288K bytes of memory.
    Processor board ID FOX1407G5P7
    MPC8245 CPU at 333Mhz, Supervisor IV
    Last reset from Reload
    5 Virtual Ethernet interfaces
    192 FastEthernet interfaces
    26 Gigabit Ethernet interfaces
    403K bytes of non-volatile configuration memory.
    Regards,
    Bala

    Hey CJ,
    Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
    Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
    Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
    Hope this helps!
    -Chet

  • Recommendation on having ACL on the switch or on the FW?

    Hi There,
    I have a setup of a core switch connected through a trunk link to a PIX535 FW; currently I have 150 users and the PIX is doing the ACL between the different VLANs. However, in the future the organization will grow to 2000+ users and I'm afraid of performance degradation on the FW side if we maintained the ACL on its side.
    From security-perspective, is it better to keep the ACL managed by the PIX FW and not by the core switch? And from performance-perspective is it recommended in my scenario to move the ACL to the core switch so the performance of the PIX doesnt get degraded?
    Also, my core switch is 4 X Catalyst 3750 switches stacked together, will there be any performance problems when my organization grows to 2000+ users with this type of switch? (i.e. should we consider moving to a higher-end model like 4500 series or 6500 series)?
    Appreciate your feedback.
    Thanks,
    Haitham

    Hi Haith,
    Cisco 3750 is designed to use for small & medium sized networks, since you say that your network is going 2 get increased 2000 plus users, you need to consider going in for either 4500 or 6500 series switches, you can also put the access-list on these switches & performance will not affect. deciding the switch should also be considered what type of application going to run on the network, lets say that if you using it for Audio/Video Applications with more than 2000 plus users, you should really need to go in for 6500 series switches, bcoz files size of these applications will be huge.
    hope this helps.
    rate this post if cleared. if not please lemme know

  • Reflexive ACL on a switch interface

    Is there any reason a reflexive ACl will not work on a switch port? I see that most examples pertain to routers. We have a 4510 with a Sup 6. I have not tried it yet, but here is the config I came up with :
    ip access-list extended internal_acl
    permit tcp any any reflect tcptraff
    permit udp any any reflect udptraff
    permit icmp any any reflect icmptraff
    ip access-list extended external_acl
    evaluate tcptraff
    evaluate udptraff
    evaluate icmptraff
    deny ip any any
    int g1/48
    ip access-group internal_acl out
    ip access-group external_acl in
    Does this look like it will work? Being that the 4510 can't do NAT I need to "hide" what is connected to this particular switch interface. Suggestions?
    Poirot

    here are 2 good basic documents on this topic:
    "How To Calculate Bandwidth Utilization Using SNMP"
    SNMP Counters: Frequently Asked Questions
    Basicly, what you have to do is, to poll the ifHCInOctets and ifHCOutOctets (from the IF-MIB (ifXTable) - e.g ifHCInOctets = .1.3.6.1.2.1.31.1.1.1.6.)
    and do some calculation to get bps. This thread gives a good example.
    there are 2 Mib objects, which gives directly what you want, but they are deprecated and have 32-bit counters, so they are not of practical use for highspeed (Gig) interfaces:
        locIfInBitsSec      1.3.6.1.4.1.9.2.2.1.1.6
        locIfOutBitsSec     1.3.6.1.4.1.9.2.2.1.1.8
    Typically you will poll these values with snmp instead of sending them; (for 64-bi counters (ifHCInOctets) you 'll have to use snmpv2c or snmpv3)

  • Need ACL Assistance on Switch/Router

    Hello all,
    I  am learning how to write ACLs, and one of the exercises is that I have  to write an ACL to restrict PING, HTTP, FTP, and allow POP3 and SMTP  between a pc and server.  Below is my ACL.  The thing that does not work  is the POP3\SMTP access.  It continues to fail.  I do not want to just  add a "permit ip any any" to make it work.  Can someone help?  Thanks!
    PC1:  192.168.6.65
    PC2:  192.168.6.66
    Svr1:  209.1.5.14
        10 deny icmp host 192.168.6.65 host 209.1.5.14 echo
        20 deny icmp host 192.168.6.65 host 209.1.5.14 echo-reply
        30 deny icmp host 192.168.6.66 host 209.1.5.14 echo
        40 deny icmp host 192.168.6.66 host 209.1.5.14 echo-reply
        50 deny tcp host 192.168.6.65 host 209.1.5.14 eq www
        60 deny tcp host 192.168.6.66 host 209.1.5.14 eq www
        70 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp
        80 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp-data
        90 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp
        100 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp-data
        190 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp
        200 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp
        210 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3
        220 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3

    Hi Techinneed,
    Perhaps you try this.
        10 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp
        20 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp
        30 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3
        40 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3
        50 deny ip any any.

  • 300-28 Switches ACL Problem (Lack of Hardware Error)

    Hi!
    I am using SG300-28 switches in Layer 3 mode. I have 15 Vlans created and routing. I have 3 ACLS applied on the 5 VLANs.
    I am facing problem while adding another ACL in the VLAN interface error is (Lack of Hardware resources).
    I don't know what is the problem, I am worried about it. Please help in this.
    I have also updated my switch to latest firmware e.g.1.4.0.88

    hi
    seems you've reached maximum number of ACL entries for switch (512). Please:
    how many ACLs you have configured in total?
    how many entries have each applied access list on your switch?
    you can also check available resources with command "show system resources tcam"

  • ACLs on switch Cluster

    Hi all,
    I have previously posted a thread about ACLs on cluster switches.
    However i am posting again to clarify myself and ask more questions.
    I now know that i cannot apply ACLs per interface as my switches have the SI and not EI.
    It is possible though to have ACLs applied on the management VLAN.
    Lets say i have 4 switches in a cluster switch1-switch4
    An http proxy is hanging of switch1.
    I want to set up the ACL so that only a few hosts have access to the http proxy.
    I know i have to configure this at the VLAN1.
    Will this configuration be propagated to all other switched in the cluster,
    and do in need to enable ACL on the command switch or just any switch i want.
    Please shed some light.
    Thanks,
    George

    I'm not really sure what you mean by switch cluster, I believe you are refering to a reduntant environment with 4 switches connected and running STP.
    Could you give us the models, and IOS used.
    Also, have you ever heard of VACL? or private-vlans? maybe these will suffice in your case.
    Please let me know.
    Sorry for the lousy english.
    Regards,
    Vlad

  • Extended acl - multiple ports on same acl line

    hello
    i'm working on a (long) acl and have started looking at putting multiple ports on the same line
    e.g.
    instead of:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80
    permit tcp any host 10.10.10.1 eq 443
    i'd use:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80 443
    its shortening the acl considerably but the question is:
    does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
    what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
    thanks
    andy

    Hello
    No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
    Cisco3750#show platform tcam utilization
    CAM Utilization for ASIC# 0                      Max            Used
                                                             Masks/Values    Masks/values
    IPv4 security aces:                          1024/1024         33/33
    Note: Allocation of TCAM entries per feature uses
    a complex algorithm. The above information is meant
    to provide an abstract view of the current TCAM utilization
    As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
    thanks
    Andy

  • How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

    Hellp Everyone,
    I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
    I want to allow the whole Intranet but few intranet websites also needs access to the internet.
    Can we create such Access-List with the above requirement.
    I tried to create the ACL on the switch but it blocks the whole internet access.
    i want to do it for a subnet not for a specific IP.
    Can someone help me in creating such access list.
    Thanks in Advance

    The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
    In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
    The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
    You would then use them as follows:
    ip access-list extended main_acl
    permit any object-group intranet any
    permit object-group allowed_servers object-group allowed_sites any
    interface vlan
    ip access-group main_acl in
    More details on the syntax and examples can be found here:
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

  • Managing vty ACLs with Prime Infrastructure?

    I have a number of devices -- various models of Nexus, (2k - 7k), 6500s and some 1U stackables.
    I'm trying to come up with a good way to leverage PI (2.1) to apply a vty ACL to the switches. There does not appear to be a template for this. The problem of course is not only the order of operation (remove ACL from vty if there is one so Prime doesn't lock itself out, only then do the rest of the stuff) but that the syntax seems to differ very aggravatingly -- some require "line vty 0 1509," some "line vty 0 1510," some platforms accept named ACLs for vty ACLs, some don't...
    Any tips, tricks, or best practices on how to install and update vty ACLs on IOS and/or NX-OS devices with Prime Infrastructure?

    I am also interested in this topic. We have vty ACLs in place but with different names. Would like to be able to find and update the ACL's and vty config. Using PI 2.1.

  • ACL strange behaviour

    Hello,
    I've inherited an old  Win 2000 server. On it there are several shares that I'm forced to move on a 10.6.7 server.. I've added this 10.6 server in the AD and moved on it those shares, and I've assigned necessary ACL on them. It's something simple, two -deny write- for a couple of users and -allow read/write- for some groups, followed by a propogagate ACL.. But I've noticed from  SERVER ADMIN  that after manipulating with AD users from a Win 7 client, files touched starts to gain odd ACL permissions, inherited switchs to "Custom" and some time to time even a POSIX -no access- of a single AD user based on last user access over the file concerned.
    Time of last modification and last change permission coincide (osservation based on ls command)
    Any idea about the origin of this behaviour?
    Thanks in advance

    Unfortunately nothing changes..
    I've done some new tests creating new shares under 10.6 and applying on them ACL for AD users and groups but I still have odd behaviors opening and modify files from windows clients. especially  Allow-Read seems to be ignored (affected user in windows can modify the file, under OSX it works as intended).
    Then I've build an OD on this 10.6 server, I've created a bunch of users and tried the same things.. with OD users I have a correct behavior of users under ACL, (both win and osx clients)
    By the way, there is some trick to avoid inherited ACL to switch to "Custom" or automatically POSIX-ACL generated over files opened by users? I find it disturbing. I'd like to have only inherited ACL.

  • About 2950 acl configuration

    I have a c2950 and want to config acl. I enter INTERFACE MODE and issue IP ACCESS-GROUP command ,But system prompt no this command . how can I do. Please help me . Issuing show ver command.Message as fallows.
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2005 by cisco Systems, Inc.
    Compiled Fri 21-Oct-05 02:22 by yenanh
    Image text-base: 0x80010000, data-base: 0x80676000
    ROM: Bootstrap program is C2950 boot loader
    tycib_sw29_f2office2 uptime is 3 minutes
    System returned to ROM by power-on
    System image file is "flash:/c2950-i6k2l2q4-mz.121-22.EA6.bin"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco WS-C2950-24 (RC32300) processor (revision R0) with 19973K bytes of memory.
    Processor board ID FOC0935Z7SN
    Last reset from system-reset
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:15:62:63:5D:C0
    Motherboard assembly number: 73-5781-13
    Power supply part number: 34-0965-01
    Motherboard serial number: FOC09343GDK
    Power supply serial number: DAB0930DP48
    Model revision number: R0
    Motherboard revision number: A0
    Model number: WS-C2950-24
    System serial number: FOC0935Z7SN
    Configuration register is 0xF

    Hi There,
    Your switch WS-C2950-24, is a switch with standard image i.e SMI. This image doenot support ACL's and that's why its not working. You should have a 2950 with EMI to run ACLs. This switch is not upgradable to EMI so you really cannot use ACLs on this :(.
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html
    regards,
    -amit singh

  • ACL--- ISE

    Hi Team!!
        in ISE , Can a static acl  be applied dynamically to a switch interface, i.e. if a port on a switch, which is allocated to a printer, becomes active but no certificate is received on the ISE, then the ISE will push an ACL to the switch port to only allow printer traffic.  This could  get around MAC authentication bypass possibly.
    Cheers!!
    Minakshi

    Hello Minakshi-
    You can definitely accomplish this by:
    1. Configure the switch to support both mab and dot1x
    2. Configure ISE for mab and dot1x
    3. Configure a printer specific "dACL" in ISE
    4. Configure a printer specific "Authorization Profile" in ISE and attach the dACL created in step #3 to it
    5. Test :)
    Thank you for rating helpful posts! 

  • SRW2024 - ip and Mac based ACL

    Hi!
    I'm trying to set up MAC and IP based ACl on our switches with no success.
    Port 22 is our wan port
    i'm trying to stop ip 192.168.0.53 reaching internet.
    but i need to let all other traffic to pass.
    with ip rule with Deny 192.168.0.53 wild card mask 0.0.0.0
    and acl bound to port g22.
    the problem is that it stop all traffic.
    What am i missing?  i'm trying to do this with MAC ACL too with same results.
    /J

    Hi!
    Ok, i placed a new rule after the block rule.
    permit any  ip 192.168.0.0  Wild card mask 255.255.255.255
    now it lets all traffic pass including the the one i  blocked in the first rule!
    i'm still missing something!
    /J

Maybe you are looking for