Extended ACL - Switch

1x Catalyst 3560.
GUEST VLAN
STAFF VLAN
I have 2 separate VLANS.
Requirement:
Guest Vlan deny access to Staff Vlan. Staff Vlan permit access to Guest Vlan.
Is this setup possible?
Apparently im able to deny access from guest->staff, but not vice versa.
GUEST VLAN
STAFF VLAN

Read the below helpfull info:-
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
HTH>

Similar Messages

  • Catalyst 3560 Extended ACLs

    I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
    I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
    Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
    I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
    access-list 101 remark Voice Bearer Signalling
    access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
    access-list 102 remark Call Control Signalling (udp 5440-5445)
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
    access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
    class-map match-any IngressCallControlSignalling
    match access-group 102
    class-map match-any IngressVoiceBearer
    description All Inbound Voice Bearer traffic on UDP 5004
    match access-group 101
    policy-map IngressVoIP
    class IngressVoiceBearer
    set dscp ef
    class IngressCallControlSignalling
    set dscp af31
    class class-default
    set dscp default
    Switch Output:
    switch#sh mls qos int g0/1 statistics
    GigabitEthernet0/1
    dscp: outgoing
    0 - 4 : 12359302 0 0 0 0
    5 - 9 : 0 0 0 0 0
    10 - 14 : 0 0 0 0 0
    15 - 19 : 0 0 0 0 0
    20 - 24 : 0 0 0 0 0
    25 - 29 : 0 0 0 0 0
    30 - 34 : 0 0 0 0 0
    35 - 39 : 0 0 0 0 0
    40 - 44 : 0 0 0 0 0
    45 - 49 : 0 1837749 0 9716 0
    50 - 54 : 0 0 0 0 0
    55 - 59 : 0 0 0 0 0
    60 - 64 : 0 0 0 0

    Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
    ip access-list extended VOICE-CONTROL
    permit tcp any any range 2000 2002
    permit tcp any range 2000 2002 any
    permit tcp any any range 11000 11999
    permit tcp any any range 1718 1720
    permit udp any any range 1718 1719
    permit udp any any range 2427 2428
    permit tcp any any range 2443 2445
    permit tcp any any range 5555 5599
    But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
    Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
    -Mark

  • Standard and Extended ACLs?

    I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.
    I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,
    Please reply.

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.
    Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.
    Logically the standard ACL ACE:
    access-list 10 permit host 1.1.1.1
    should be the same as this extended ACL ACE:
    permit ip host 1.1.1.1 any
    But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP.  Should this happen?  No, but such might happen because of different generations of code and/or different teams working on ACL processing.
    BTW, if there is a significant performance difference, it's just as possible extended works better.
    Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering.  (Also, if this is "discovered", it's very likely to be very device and IOS version specific.  Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.)

  • WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection

    I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
    Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
    Standard acls parse the filteration process more quickly than extended.
    thanks
    Ajaz

    The extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.

  • Extended ACL permit ip and allowed ports

                       Hi everyone
    Need to confirm if we have extended ACL with object group below
    access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
    will above ACL allow all the ports  on the destination object group?
    Thanks
    mahesh

    And to illustrate the situation above
    Situation 1 - Only allow rule exists on the ACL
    object-group network SOURCE
    network-object 10.10.10.0 255.255.255.0
    network-object 10.10.20.0 255.255.255.0
    object-group network DESTINATION
    network-object 10.10.100.0 255.255.255.0
    network-object 10.10.200.0 255.255.255.0
    access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
    The above ACL would
    Allow ALL TCP/UDP source and destination ports
    Allow those from the source networks of SOURCE to the destination networks of DESTINATION
    Situation 2 - Deny rules exist before the allowing rule
    object-group network SOURCE
    network-object 10.10.10.0 255.255.255.0
    network-object 10.10.20.0 255.255.255.0
    object-group network DESTINATION
    network-object 10.10.100.0 255.255.255.0
    network-object 10.10.200.0 255.255.255.0
    access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
    access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
    access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
    The above ACL would
    First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
    It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
    It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
    The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
    So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
    In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
    - Jouni

  • Extended ACL Issue

    I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
    I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
    ip-access-list extended ACL_TCP
    deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
    permit tcp any any established
    Is there a better way to do this? Does this extended ACL work for my purpose?

    What direction did you apply this? I'm assuming in the inbound direction?
    Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
    Try the following:
    ip access-list ext ACL_TCP
    deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
    deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
    deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
    Apply to your loopback:
    ip access-group ACL_TCP in
    Next question:
    Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
    HTH,
    John

  • Applying Extended ACL close to Destination

                       Hi Everyone,
    Need to share something here.Mostly we use extended ACL close to the source.
    Here is this scenario i need to use the extended ACL  close to destination to fix the issue.
    Here is info
    Server 1  connected to interface X  ASA1  it has wan connection to ASA2---ASA2 has connection to ASA3.
    Now  ASA3 is learning source server IP via its Y interface.
    In order to reach the destination server ASA3  has to through its interface Z.
    Now there was ACL  on ASA3 which denies traffic from source server IP  to destination IP on interface Y.
    I apply the ACL  on ASA3 to allow the traffic and it worked.
    Dooes someone elase also has seen this behaviour?
    Regards
    Mahesh

    Hi,
    The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
    Just as an example I could mention one real life setup that I manage.
    The setup contains 4 firewalls always (at minimum)
    One is customer firewall/vpn device
    One is our vpn device
    One is our firewall device
    One is our partner firewall device
    This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
    - Jouni

  • Use extended ACL with NAT

    Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
    I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
    thanks in advance,
    Han                  
    access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
    access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
    access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
    access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
    access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
    access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
    global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
    global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
    nat (inside) 0 access-list inside_nat0_outbound_5
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 0 access-list dmz_nat0_outbound
    nat (dmz) 2 0.0.0.0 0.0.0.0

    Hi Han,
    If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
    standard ACL:
    access-list 10 standard permit ip 172.16.0.0
    Extended ACL:
    access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
    This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
    Please do rate if the given information helps.
    By
    Karthik

  • Extended acl - multiple ports on same acl line

    hello
    i'm working on a (long) acl and have started looking at putting multiple ports on the same line
    e.g.
    instead of:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80
    permit tcp any host 10.10.10.1 eq 443
    i'd use:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80 443
    its shortening the acl considerably but the question is:
    does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
    what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
    thanks
    andy

    Hello
    No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
    Cisco3750#show platform tcam utilization
    CAM Utilization for ASIC# 0                      Max            Used
                                                             Masks/Values    Masks/values
    IPv4 security aces:                          1024/1024         33/33
    Note: Allocation of TCAM entries per feature uses
    a complex algorithm. The above information is meant
    to provide an abstract view of the current TCAM utilization
    As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
    thanks
    Andy

  • Extended ACL TCP port control

    Hi all,
    I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
    I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
    Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

    Hi,
    Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
    interface Vlan2
    description For Mail
    ip address 1.1.1.129 255.255.255.0
    ip access-group 2002 in
    end
    C6500#sh access-li 2002
    Extended IP access list 2002
    10 permit icmp any any (272 matches)
    20 permit tcp host 1.1.1.0 any syn (10467 matches)
    30 permit tcp host 1.1.1.0 any ack (781 matches)
    40 permit tcp host 1.1.1.190 eq smtp any
    50 permit tcp host 1.1.1.190 eq pop3 any
    60 permit tcp host 1.1.1.192 eq smtp any
    70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
    80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
    When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
    Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

  • HT202351 extended display & switching videos

    I have a MB Air connected to an LCD projector. I want to run a video on one display while at the same time, preparing another video to play a bit later. I hate the idea of the audience "watching the cursor pull the screen over" as I move the finished video off the extended desktop and then move the next video on to the extended desktop. Isn't there another way to use multiple desktops in order to play/show different things at different times?
    I tried using multiple desktops and found that none of them showed up on the LCD projected screen.
    Then I used the Mirror but everyone could watch me prepare the next video to play! Not good!
    So the only option was using the extended desktop. In order to play the video, I had to press Command/Return (at the same time) because pressing the play in Quicktime) would not start the video on the extended desktop.  I had to restart the second video from scratch by closing QT after the first one played because the second video would not not play initially.
    There has got to be a better/smoother/savvier way to do this.

    I have a MB Air connected to an LCD projector. I want to run a video on one display while at the same time, preparing another video to play a bit later. I hate the idea of the audience "watching the cursor pull the screen over" as I move the finished video off the extended desktop and then move the next video on to the extended desktop. Isn't there another way to use multiple desktops in order to play/show different things at different times?
    I tried using multiple desktops and found that none of them showed up on the LCD projected screen.
    Then I used the Mirror but everyone could watch me prepare the next video to play! Not good!
    So the only option was using the extended desktop. In order to play the video, I had to press Command/Return (at the same time) because pressing the play in Quicktime) would not start the video on the extended desktop.  I had to restart the second video from scratch by closing QT after the first one played because the second video would not not play initially.
    There has got to be a better/smoother/savvier way to do this.

  • Extended ACL for DHCP

    Hi,
    I'm having a problem creating an ACL to allow DHCP.
    I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
    Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
    I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
    permit udp any host 172.16.30.4 log
    permit tcp any host 172.16.30.4 log
    permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
    permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
    permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
    deny ip any any (28 matches)
    172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
    I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
    The IP helper address is configured on the interface and is 172.16.30.4.
    Can some one let me know what I'm missing.
    Cheers,
    Steve

    Hi,
    Thanks for the response - I'll try the ACL for DHCP shortly.
    With regard to the ACL:
    permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
    you are correct, that is for DNS.
    However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
    Cheers,
    Steve

  • Extended ACL configuration

    Hello everyone,
    I use ACLs on a daily basis and every now and then I need to insert a remark above a particulare line.
    As of today I do the following:
    Step 1: Creating a temp. copy of the desired ACL and bind it to the Interface to ensure functionality while editing the original ACL
    Step 2: Delete the original ACL and then recreate it with the added line(s)
    Step 3: Bind the newly created ACL to the Interface, delete the temp. created ACL
    Is there a way similar to include new lines by useing the sequence numbers to insert a remark above a specific line?
    thanks in advance
    Marcel

    Hi Marcel
    you didn't mentioning about what kind of device (model, firmware/ios version) you are writing.
    ACL's can be done on variety of devices with very different forms of configuration, moreover you are writing inside Small Business section of this forum (related to specified group devices without using IOS software).

  • Extended ACL and FTP

    We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
    permit tcp any any established

    Maybe this link should help.
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
    Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
    So instead you use
    access-list 100 permit tcp any host 192.168.1.100 gt 1023
    You should use
    access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
    But, in my opinion, from the server's view, active FTP is more secure than passive.
    Hope this helps

  • I am stuck. Extended ACL issues

    I been at this for a long time and I simply do not know what this practice lab wants. I mean I think I input the correct information but the % does not go up.
    Says for my ACL's I'm supposed to
    Allow telnet to R1 and R3 from R2 only
    Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.
    Do not allow PC1 to receive traffic from the 10.0.0.128/25 network.
    I emplemented many ACL's and tried various things but nothing is working form me.
    PC1 address is - 10.0.0.10 /25 its part of the 10.0.0.0/25 network. (Pc1 is connected to R1)
    R1 is connected to R2 and R3.
    The R1 connection to R2 is on S0/0/0 172.16.0.1 255.255.255.252
    R1 to R3 connection is going through S0/1/0 172.16.0.9 255.255.255.252
    R2 is connected to R1 via S0/0/0 interface with the IP address 172.16.0.2 /30 (255.255.255.252)
    R2's s0/0/1 is connected to R3 with the ip address of 172.16.0.5 255.255.255.252
    R3 is connected to R1 via S0/0/0 ip address 172.16.0.10 255.255.255.252
    Pc3 is connected to R3 with an ip of 10.0.0.139 255.255.128 (This is part of the 10.0.0.128/25 network
    R3's connection to R2 is on S0/0/1 with the ip address of 172.16.0.6 255.255.252
    The network from R1 to R2 is 172.16.0.0/30
    the Network from R1 to R3 is 172.16.0.8/30
    the Network from R2 to R3 is 172.16.0.4/30
    The Loopback on R2 is 209.165.200.161/27
    If anyone can help me I would greatly appreciate it. I am just so lost atm =/

    Are you running a routing protocol? OSPF, EIGRP, RIP?
    What "%" are you talking about, and what's not working for you exactly?
    Can we get a drawing of you topology?
    HTH,
    John

Maybe you are looking for