Acl's on switches.
I have 5 subnets from my ISP. I want to use a switch for routing 2960 or sf300-24p. I just want to route one inside network to one outside subnet. A point of sale system is setup on one static IP this VLAN would just need to conect to the one subnet on the outside. If I turn on IP routing and create SVI's This will route between all subnets. I also have a public emplolyee and management vlan. They are on seperate static IP addresses.
The three local networks will use private ip addressing. How do I trananslate between the local private IP addresses and the designated address from the service providor.
An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1
192.168.2.0 Vlan 200 to route only isp address 2
192.168.3.0 vlan 300 to route only to isp address 3
The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.
How can I do this with a catlyst 2960 with lanbase firmware.
Thanks
An example I want 192.168.1.0 network in vlan 100 to route to only isp address 1192.168.2.0 Vlan 200 to route only isp address 2192.168.3.0 vlan 300 to route only to isp address 3The issue is I cant have vlan 200 or vlan 300 comunicate with isp address 1 or vlan 100.How can I do this with a catlyst 2960 with lanbase firmware.
Are you sure these are the only things you want to route?
If yes, then a 2960 can do limited static routes if you upgrade to 12.2(55)SE2 and later. You can enable routing if you change the SDM template to route.
Similar Messages
-
How to put a comment(remark) into a certain line in ACL on L3 switch
hello all,
am I correct that for comments in access lists on L3 switches it is provided only so limited functionality, that it is possible only to put a remark at the end of existing rules list and no way to put a comment into a defined line, but only reapply the whole access list?!
(config-ext-nacl)#remark ?
LINE Comment up to 100 characters
<cr>
Maybe other commands exist or special applications that can help with such important matter ?You're correct. Remark entries will be added in the order that you enter them, but can't be inserted with a sequence number. Any time I've needed to make changes to ACL remarks, the ACL has had to be deleted and re-created with the new entries.
-
Hi ,
We have a cisco 4506 switch with the IOS version of 12.2-50.SG1. I would like to know whether any latest IOS version will support redirect ACL with the deny statement for WCCP on a client interface.
Switch details:
cisco WS-C4506-E (MPC8245) processor (revision 7) with 524288K bytes of memory.
Processor board ID FOX1407G5P7
MPC8245 CPU at 333Mhz, Supervisor IV
Last reset from Reload
5 Virtual Ethernet interfaces
192 FastEthernet interfaces
26 Gigabit Ethernet interfaces
403K bytes of non-volatile configuration memory.
Regards,
BalaHey CJ,
Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
Hope this helps!
-Chet -
Recommendation on having ACL on the switch or on the FW?
Hi There,
I have a setup of a core switch connected through a trunk link to a PIX535 FW; currently I have 150 users and the PIX is doing the ACL between the different VLANs. However, in the future the organization will grow to 2000+ users and I'm afraid of performance degradation on the FW side if we maintained the ACL on its side.
From security-perspective, is it better to keep the ACL managed by the PIX FW and not by the core switch? And from performance-perspective is it recommended in my scenario to move the ACL to the core switch so the performance of the PIX doesnt get degraded?
Also, my core switch is 4 X Catalyst 3750 switches stacked together, will there be any performance problems when my organization grows to 2000+ users with this type of switch? (i.e. should we consider moving to a higher-end model like 4500 series or 6500 series)?
Appreciate your feedback.
Thanks,
HaithamHi Haith,
Cisco 3750 is designed to use for small & medium sized networks, since you say that your network is going 2 get increased 2000 plus users, you need to consider going in for either 4500 or 6500 series switches, you can also put the access-list on these switches & performance will not affect. deciding the switch should also be considered what type of application going to run on the network, lets say that if you using it for Audio/Video Applications with more than 2000 plus users, you should really need to go in for 6500 series switches, bcoz files size of these applications will be huge.
hope this helps.
rate this post if cleared. if not please lemme know -
Reflexive ACL on a switch interface
Is there any reason a reflexive ACl will not work on a switch port? I see that most examples pertain to routers. We have a 4510 with a Sup 6. I have not tried it yet, but here is the config I came up with :
ip access-list extended internal_acl
permit tcp any any reflect tcptraff
permit udp any any reflect udptraff
permit icmp any any reflect icmptraff
ip access-list extended external_acl
evaluate tcptraff
evaluate udptraff
evaluate icmptraff
deny ip any any
int g1/48
ip access-group internal_acl out
ip access-group external_acl in
Does this look like it will work? Being that the 4510 can't do NAT I need to "hide" what is connected to this particular switch interface. Suggestions?
Poirothere are 2 good basic documents on this topic:
"How To Calculate Bandwidth Utilization Using SNMP"
SNMP Counters: Frequently Asked Questions
Basicly, what you have to do is, to poll the ifHCInOctets and ifHCOutOctets (from the IF-MIB (ifXTable) - e.g ifHCInOctets = .1.3.6.1.2.1.31.1.1.1.6.)
and do some calculation to get bps. This thread gives a good example.
there are 2 Mib objects, which gives directly what you want, but they are deprecated and have 32-bit counters, so they are not of practical use for highspeed (Gig) interfaces:
locIfInBitsSec 1.3.6.1.4.1.9.2.2.1.1.6
locIfOutBitsSec 1.3.6.1.4.1.9.2.2.1.1.8
Typically you will poll these values with snmp instead of sending them; (for 64-bi counters (ifHCInOctets) you 'll have to use snmpv2c or snmpv3) -
Need ACL Assistance on Switch/Router
Hello all,
I am learning how to write ACLs, and one of the exercises is that I have to write an ACL to restrict PING, HTTP, FTP, and allow POP3 and SMTP between a pc and server. Below is my ACL. The thing that does not work is the POP3\SMTP access. It continues to fail. I do not want to just add a "permit ip any any" to make it work. Can someone help? Thanks!
PC1: 192.168.6.65
PC2: 192.168.6.66
Svr1: 209.1.5.14
10 deny icmp host 192.168.6.65 host 209.1.5.14 echo
20 deny icmp host 192.168.6.65 host 209.1.5.14 echo-reply
30 deny icmp host 192.168.6.66 host 209.1.5.14 echo
40 deny icmp host 192.168.6.66 host 209.1.5.14 echo-reply
50 deny tcp host 192.168.6.65 host 209.1.5.14 eq www
60 deny tcp host 192.168.6.66 host 209.1.5.14 eq www
70 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp
80 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp-data
90 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp
100 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp-data
190 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp
200 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp
210 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3
220 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3Hi Techinneed,
Perhaps you try this.
10 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp
20 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp
30 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3
40 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3
50 deny ip any any. -
300-28 Switches ACL Problem (Lack of Hardware Error)
Hi!
I am using SG300-28 switches in Layer 3 mode. I have 15 Vlans created and routing. I have 3 ACLS applied on the 5 VLANs.
I am facing problem while adding another ACL in the VLAN interface error is (Lack of Hardware resources).
I don't know what is the problem, I am worried about it. Please help in this.
I have also updated my switch to latest firmware e.g.1.4.0.88hi
seems you've reached maximum number of ACL entries for switch (512). Please:
how many ACLs you have configured in total?
how many entries have each applied access list on your switch?
you can also check available resources with command "show system resources tcam" -
Hi all,
I have previously posted a thread about ACLs on cluster switches.
However i am posting again to clarify myself and ask more questions.
I now know that i cannot apply ACLs per interface as my switches have the SI and not EI.
It is possible though to have ACLs applied on the management VLAN.
Lets say i have 4 switches in a cluster switch1-switch4
An http proxy is hanging of switch1.
I want to set up the ACL so that only a few hosts have access to the http proxy.
I know i have to configure this at the VLAN1.
Will this configuration be propagated to all other switched in the cluster,
and do in need to enable ACL on the command switch or just any switch i want.
Please shed some light.
Thanks,
GeorgeI'm not really sure what you mean by switch cluster, I believe you are refering to a reduntant environment with 4 switches connected and running STP.
Could you give us the models, and IOS used.
Also, have you ever heard of VACL? or private-vlans? maybe these will suffice in your case.
Please let me know.
Sorry for the lousy english.
Regards,
Vlad -
Extended acl - multiple ports on same acl line
hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line
e.g.
instead of:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443
i'd use:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443
its shortening the acl considerably but the question is:
does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
thanks
andyHello
No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
Cisco3750#show platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
IPv4 security aces: 1024/1024 33/33
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
thanks
Andy -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Managing vty ACLs with Prime Infrastructure?
I have a number of devices -- various models of Nexus, (2k - 7k), 6500s and some 1U stackables.
I'm trying to come up with a good way to leverage PI (2.1) to apply a vty ACL to the switches. There does not appear to be a template for this. The problem of course is not only the order of operation (remove ACL from vty if there is one so Prime doesn't lock itself out, only then do the rest of the stuff) but that the syntax seems to differ very aggravatingly -- some require "line vty 0 1509," some "line vty 0 1510," some platforms accept named ACLs for vty ACLs, some don't...
Any tips, tricks, or best practices on how to install and update vty ACLs on IOS and/or NX-OS devices with Prime Infrastructure?I am also interested in this topic. We have vty ACLs in place but with different names. Would like to be able to find and update the ACL's and vty config. Using PI 2.1.
-
Hello,
I've inherited an old Win 2000 server. On it there are several shares that I'm forced to move on a 10.6.7 server.. I've added this 10.6 server in the AD and moved on it those shares, and I've assigned necessary ACL on them. It's something simple, two -deny write- for a couple of users and -allow read/write- for some groups, followed by a propogagate ACL.. But I've noticed from SERVER ADMIN that after manipulating with AD users from a Win 7 client, files touched starts to gain odd ACL permissions, inherited switchs to "Custom" and some time to time even a POSIX -no access- of a single AD user based on last user access over the file concerned.
Time of last modification and last change permission coincide (osservation based on ls command)
Any idea about the origin of this behaviour?
Thanks in advanceUnfortunately nothing changes..
I've done some new tests creating new shares under 10.6 and applying on them ACL for AD users and groups but I still have odd behaviors opening and modify files from windows clients. especially Allow-Read seems to be ignored (affected user in windows can modify the file, under OSX it works as intended).
Then I've build an OD on this 10.6 server, I've created a bunch of users and tried the same things.. with OD users I have a correct behavior of users under ACL, (both win and osx clients)
By the way, there is some trick to avoid inherited ACL to switch to "Custom" or automatically POSIX-ACL generated over files opened by users? I find it disturbing. I'd like to have only inherited ACL. -
I have a c2950 and want to config acl. I enter INTERFACE MODE and issue IP ACCESS-GROUP command ,But system prompt no this command . how can I do. Please help me . Issuing show ver command.Message as fallows.
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh
Image text-base: 0x80010000, data-base: 0x80676000
ROM: Bootstrap program is C2950 boot loader
tycib_sw29_f2office2 uptime is 3 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6k2l2q4-mz.121-22.EA6.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C2950-24 (RC32300) processor (revision R0) with 19973K bytes of memory.
Processor board ID FOC0935Z7SN
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:15:62:63:5D:C0
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC09343GDK
Power supply serial number: DAB0930DP48
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FOC0935Z7SN
Configuration register is 0xFHi There,
Your switch WS-C2950-24, is a switch with standard image i.e SMI. This image doenot support ACL's and that's why its not working. You should have a 2950 with EMI to run ACLs. This switch is not upgradable to EMI so you really cannot use ACLs on this :(.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html
regards,
-amit singh -
Hi Team!!
in ISE , Can a static acl be applied dynamically to a switch interface, i.e. if a port on a switch, which is allocated to a printer, becomes active but no certificate is received on the ISE, then the ISE will push an ACL to the switch port to only allow printer traffic. This could get around MAC authentication bypass possibly.
Cheers!!
MinakshiHello Minakshi-
You can definitely accomplish this by:
1. Configure the switch to support both mab and dot1x
2. Configure ISE for mab and dot1x
3. Configure a printer specific "dACL" in ISE
4. Configure a printer specific "Authorization Profile" in ISE and attach the dACL created in step #3 to it
5. Test :)
Thank you for rating helpful posts! -
SRW2024 - ip and Mac based ACL
Hi!
I'm trying to set up MAC and IP based ACl on our switches with no success.
Port 22 is our wan port
i'm trying to stop ip 192.168.0.53 reaching internet.
but i need to let all other traffic to pass.
with ip rule with Deny 192.168.0.53 wild card mask 0.0.0.0
and acl bound to port g22.
the problem is that it stop all traffic.
What am i missing? i'm trying to do this with MAC ACL too with same results.
/JHi!
Ok, i placed a new rule after the block rule.
permit any ip 192.168.0.0 Wild card mask 255.255.255.255
now it lets all traffic pass including the the one i blocked in the first rule!
i'm still missing something!
/J
Maybe you are looking for
-
How can I promote a field in my form to a SharePoint 2010 list column and have it populated?
Hello, I have created a form using some jquery, html and <td> tags. I would like to promote the fields that I am having users fill out in the form so that they appear in the list that the submitted form is writing to. Below is the code that I have
-
HP probook 4720 graphics Blue screen of death
I have an HP probook 4720s (Product #: WT238EA#ACQ). I have upgraded my RAM to 6GB. My problem. The other day I was busy playing a game when the computer froze and then turned off while it was turning off a small blue screen briefly appeared. I resta
-
Open item management in spro - oioa
Hi all, in tcode OIOA ther is a tick open item management .. any body tell me what is the effect of this tick mark in MO ?.. there is no documentation also for tht regrds giri
-
How do I save photos from the internet? Right clicking did not list "save as" as one of the options.
-
How do I turn off icloud if I don't want to use it
How do I turn off iCloud if I don't want it on my phone or on my computer