Port-ACL's on a 3750 - question

I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.
Will this work:
If I have (bad ascii net diagram):
[hosta]--[rtr]--[switcha]-WAN-[switchb]
I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:
ip access-list 101 permit tcp any any eq 1000
ip access-list 101 permit tcp any any eq 2000
ip access-list 101 permit tcp any any eq 3000
and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?
Thanks!
-Frank

Yes frank, Your idea seems to be okei.
As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.
while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.
so nothing looks preventig the return traffic.

Similar Messages

  • Port channel WLC 5508 and 3750

    Hi All,
    I want to configure Port channel for WLC 5508 and cisco 3750 Stack Switch. What changes I need to make on WLC and where?
    Thanks
    Jagdev

    Thanks Chris,
    LAG is enable on WLC, and Port channel is configured on 3750, Please see the configration and Port channel status below:-
    (Cisco Controller) >show lag summary
    LAG Enabled
    interface Port-channel14
    description Port Channel to WLC001
    switchport trunk encapsulation dot1q
    switchport mode trunk
    end
    sh etherchannel 14 summary
    Flags:  D - down        P - bundled in port-channel
            I - stand-alone s - suspended
            H - Hot-standby (LACP only)
            R - Layer3      S - Layer2
            U - in use      f - failed to allocate aggregator
            M - not in use, minimum links not met
            u - unsuitable for bundling
            w - waiting to be aggregated
            d - default port
    Number of channel-groups in use: 14
    Number of aggregators:           14
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    14     Po14(SD)        LACP      Gi1/0/22(I) Gi2/0/22(I)
    sh run int g1/0/22
    Building configuration...
    Current configuration : 209 bytes
    interface GigabitEthernet1/0/22
    description Trunk to WLC001 DistPort1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 254
    switchport mode trunk
    channel-group 14 mode active
    end
    sh run int g2/0/22
    Building configuration...
    Current configuration : 209 bytes
    interface GigabitEthernet2/0/22
    description Trunk to WLC001 DistPort2
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 254
    switchport mode trunk
    channel-group 14 mode active
    end

  • Hyper-V port ACLs not accepted from VMM

    I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
    I try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
    PowerShell terminal:
    PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
    80 "TCP" -Weight 1 -Stateful $true
    And get the following:
    Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
    enabled on the operating system.
    At line:1 char:1
    + Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
       ion
        + FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
    Any ideas?
    SamG

    Hi SamG,
    Agree with the others .
    Also you can use powershell "Enable-PSRemoting -force" on destination hyper-v server (The system will prompt you to confirm some settings during
    the setup. Select A for Yes to All to confirm all of them.).
    Then on your local computer run the follow powershell :
    $cred = Get-Credential -Credential xxxxxx\administrator
    (you need to enter the user name and password of the remote computer)
    Enter-PSSession -ComputerName xxxxxx -Credential $cred
    After that , maybe you can remote use powershell .
    For details please refer to following links:
    http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/17/learn-how-to-manage-remote-powershell-sessions.aspx
    Best Regards
    Elton Ji
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Run port ACL command from SCVMM

    I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
    I
    try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
    PowerShell terminal:
    PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
    80 "TCP" -Weight 1 -Stateful $true
    And
    get the following:
    Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
    enabled on the operating system.
    At line:1 char:1
    + Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
       ion
        + FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
    Any ideas? Is there a similar command for SCVMM?
    SamG

    You are running a Hyper-V cmlet, not an SCVMM cmdlet.  Is the Hyper-V powershell module installed?
    as far as I know, SCVMM does not support port ACLs at this time.
    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

  • Router ACL and Port ACL

    how to find out after looking at the ACl that this is router acl and this is port acl.
    is there is any syntax difference between these two acl's? or these two look the same.

    how to find out after looking at the ACl that this is router acl and this is port acl.
    It depends on where the ACL is applied:
    Layer-3 interface (SVI, routed port): Router ACL
    Layer-2 interface (physical switch interfaces): Port ACL
    is there is any syntax difference between these two acl's?
    Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
    Link: c3560 Configuring Network Security with ACLs

  • ACL not working on 3750 Switch Stack on a trunk port

    I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
    What am I doing wrong?
    Access-List:
    Standard IP access list 10
        10 deny   10.101.15.13 log
        20 permit any log
    Access-List Interface:
    interface GigabitEthernet7/0/10
     description ESX Trunk
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 1,2,60-63
     switchport mode trunk
     ip access-group 10 in
    Mac-Address on the Switch Port:
    63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
    Windows Machine MAC:
    Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
    Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
    Windows Connection (which should be denied):
     TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

    PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
    In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

  • 3560 and 3750 - Question about 10/100/1000 ports

    I am researching several Cisco products to recommend to a customer. I was wondering if the 10/100/1000 ports at a 3560 switch, will provide gigabit bandwith on each port or if the bandwidth is shared among several ports. The latter is how a 48 port 10/100/1000 line card would behave on a Cisco 4500 when, depending on the card, the gigabit bandwidth will be shared among 4 or 6 ports at a time.
    What about 10/100/1000 ports on a 3750?
    Thanks

    The new Catalyst switches/modules such as the Catalyst 6500/6000, 4500/4000, 3550, and 2950 support 10/100/1000 Mbps negotiated Ethernet interfaces or ports. These ports work on 10Mbps, 100Mbps, or 1000 Mbps speed based on their connection to the other end. These 10/100/1000Mbps ports can be configured for speed and duplex negotiation in the same way as 10/100 Mbps ports on CatOS or Cisco IOS Software-based switches. Therefore, the configurations given in this document for 10/100Mbps port negotiation applies to 10/100/1000Mbps ports as well.
    http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080094781.shtml

  • 2 3750 questions

    I have 2 3750's that I have decided NOT to use stackwise. They are replacing 2 3550 switches that were connected via gigastack cable running HSRP. I am going to do the 3750's the same way.
    Question 1: I did connect the switches via the stackwise cable to experiment. I have "write erased" both switches but they still seem to think they are connected via stackwise. Ports are numbered incorrectly for standalone. How do I get rid of this?
    Question 2: The 2 3750's will uplink via copper crossover. What if anything do I lose not using the gigastack cable?

    1)You can use the switch renumber command. For example if all your interfaces have 2/0/x numbering and you want to change to 1/0/x, you can issue the following command
    Stack1(config)#switch 2 renumber 1
    WARNING: Changing the switch number may result in a
    configuration change for that switch.
    The interface configuration associated with the old switch
    number will remain as a provisioned configuration.
    Do you want to continue?[confirm]
    Changing Switch Number 1 to Switch Number 2
    New Switch Number will be effective after next reboot
    2)The stackwise gives you a 32Gigabit backplane ring and offers higher resilience and ease of management. If I were you, I would use Stackwise.

  • Using the USB port for an external HD dumb question

    OK. Forgive a possibly really dumb question here...
    My external HD has a USB 2.0 interface and I hooked it up to the USB port using a cable that came with an old USB 1 hub I'm not using right now.
    My dumb question is this: is there such a thing as a USB 2.0 cable? Or are the USB cables all the same?
    Also, how long should it be taking to transfer 12.1 GB of data (about 9,000 photos) from my external HD mounted on the AirMac base station to my MBP? There are still 48 minutes left and it seems an awfully long time for 12.1 GB of data. That's why I was wondering if the cable could be an issue...
    Thanks,
    doug

    I am suspecting now that my HD might really have been a USB 1.0 drive...
    doug

  • Cisco 3850 Switch Management Port - ACL on VTY

    Hi,
    I got these switches.
    Switch Ports Model              SW Version        SW Image              Mode   
    *    1 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
         2 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
    SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
    interface GigabitEthernet0/0
     vrf forwarding Mgmt-vrf
     ip address 172.16.12.3 255.255.255.0
     negotiation auto
    ip access-list standard ACLVTY
     permit any log
    line vty 0 4
     access-class ACLVTY in
     exec-timeout 15 0
     length 0
     history size 64
     transport preferred ssh
     transport input ssh
     transport output telnet ssh
    037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
    # show ip access-list permit-any
    Standard IP access list permit-any
        10 permit any log (3 matches)
    If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing. 
    Any ideas ?
    Thanks, 
    Rick.

    Hi,
    IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
    So, you should get something like this:
    line vty 0 4
    access-class ACLVTY in vrf-also  

  • Does Cat6 SUP720 support port acl?

    Hi
    We have a network using Cat4 and Cat6 for server connections.
    We have decided to use acl on the l2 ports to block certain traffics.
    It works fine on the cat4, but it does not work on cat6.
    Is it a supported feature on cat6?
    Thanks

    Hey,
    Are you using Cat OS or IOS on Sup 720?
    I think on Cat OS you cannot use the ACL on L2 ports.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/acc_list.htm#wp1020508
    HTH,
    -amit singh

  • IP Port ACL on switch

    Catalyst 3560
    I'm want to block one particular local IP address from communicating with a server on a switch port, but allow all other IP addresses to communicate with it. Here is the ACL on the port the server is on:
    deny host 10.16.5.138
    permit any
    Everything gets blocked when I put this ACL in place. How should the ACL read so I can do what I want to do?

    Strange, this looks correct.
    try :
    permit any any
    Does the 10.16.5.138 host get blocked at least ?

  • Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

    Hello,
    We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
    Thanks for your comments in advance I am new to cisco technology,
    Joe        

    Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

  • Fundamental ACL & Service Policy related questions

    Hi All,
    apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
    I have a VERY simple topology like so
                                                                                        A few servers in this VLAN
    ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                        ASA5520 <--> Internal VLAN
    With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
    then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
    Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
    Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
    Thanks in advance

    The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
    ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
    ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
    -- Jim Leinweber, WI State Lab of Hygiene

  • Nexus 1000v port-channels questions

    Hi,
    I’m running vCenter 4.1 and Nexus 1000v and about 30 ESX Hosts.
    I’m using one system uplink port profile for all 30 ESX Host; On each of the ESX host I have 2 NICs going to a Catalyst 3750 switch stack (Switch A), and another 2 NICs going to another Catalyst 3750 switch stack (Switch B).
    The Nexus is configured with the “sub-group CDP” command on the system uplink port profile like the following:
    port-profile type ethernet uplink
    vmware port-group
    switchport mode trunk
    switchport trunk allowed vlan 1,800,802,900,988-991,996-997,999
    switchport trunk native vlan 500
    mtu 1500
    channel-group auto mode on sub-group cdp
    no shutdown
    system vlan 988-989
    description System-Uplink
    state enabled
    And the port channel on the Catalyst 3750 are configured like the following:
    interface Port-channel11
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk
    end
    interface GigabitEthernet1/0/18
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    interface GigabitEthernet1/0/1
    description ESX-10(Virtual Machine)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport trunk allowed vlan 800,802,900,988-991
    switchport mode trunk
    switchport nonegotiate
    channel-group 11 mode on
    spanning-tree portfast trunk
    spanning-tree guard root
    end
    Now Cisco is telling me that I should be using MAC pinning when doing a trunk to two different stacks , and that each interface on 3750 should not be configured in a port-channel like above,  but should be configured as individual trunks.
    First question: Is the above statement correct, are my uplinks configured wrong?  Should they be configured individually in trunks instead of a port-channel?
    Second questions: If I need to add the MAC pinning configuration on my system uplink port-profile can I create a new system uplink port profile with the MAC pinning configuration and then move one ESX host (with no VM on them) one at a time to that new system uplink port profile? This way, I could migrate one ESX host at a time without outages to my VMs. Or is there an easier way to move 30 ESX hosts to a new system uplink profile with the MAC Pinning configuration.
    Thanks.

    Hello,
    From what I understood, you have the following setup:
         - Each ESX host has 4 NICS
         - 2 of them go to a 3750 stack and the other 2 go to a different 3750 stack
         - all 4 vmnics on the ESX host use the same Ethernet port-profile
              - this has 'channel-group auto mode on sub-group cdp'
         - The 2 interfaces on each 3750 stack are in a port-channel (just 'mode on')
    If yes, then this sort of a setup is correct. The only problem with this is the dependance on CDP. With CDP loss, the port-channels would go down.
    'mac-pinning' is the recommended option for this sort of a setup. You don't have to bundle the interfaces on the 3750 for this and these can be just regular trunk ports. If all your ports are on the same stack, then you can look at LACP. The CDP option would not be supported in the future releases. In fact, it is supposed to be removed from 4.2(1)SV1(2.1) but I still see the command available (ignore 4.2(1)SV1(4) next to it) - I'll follow up on this internally:
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_2_1_1/interface/configuration/guide/b_Cisco_Nexus_1000V_Interface_Configuration_Guide_Release_4_2_1_SV_2_1_1_chapter_01.html
    For migrating, the best option would be as you suggested. Create a new port-profile with mac-pinning and move one host at a time. You can migrate VMs off the host before you change the port-profile and can remove the upstream port-channel config as well.
    Thanks,
    Shankar

Maybe you are looking for