Port-ACL's on a 3750 - question
I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.
Will this work:
If I have (bad ascii net diagram):
[hosta]--[rtr]--[switcha]-WAN-[switchb]
I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:
ip access-list 101 permit tcp any any eq 1000
ip access-list 101 permit tcp any any eq 2000
ip access-list 101 permit tcp any any eq 3000
and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?
Thanks!
-Frank
Yes frank, Your idea seems to be okei.
As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.
while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.
so nothing looks preventig the return traffic.
Similar Messages
-
Port channel WLC 5508 and 3750
Hi All,
I want to configure Port channel for WLC 5508 and cisco 3750 Stack Switch. What changes I need to make on WLC and where?
Thanks
JagdevThanks Chris,
LAG is enable on WLC, and Port channel is configured on 3750, Please see the configration and Port channel status below:-
(Cisco Controller) >show lag summary
LAG Enabled
interface Port-channel14
description Port Channel to WLC001
switchport trunk encapsulation dot1q
switchport mode trunk
end
sh etherchannel 14 summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 14
Number of aggregators: 14
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
14 Po14(SD) LACP Gi1/0/22(I) Gi2/0/22(I)
sh run int g1/0/22
Building configuration...
Current configuration : 209 bytes
interface GigabitEthernet1/0/22
description Trunk to WLC001 DistPort1
switchport trunk encapsulation dot1q
switchport trunk native vlan 254
switchport mode trunk
channel-group 14 mode active
end
sh run int g2/0/22
Building configuration...
Current configuration : 209 bytes
interface GigabitEthernet2/0/22
description Trunk to WLC001 DistPort2
switchport trunk encapsulation dot1q
switchport trunk native vlan 254
switchport mode trunk
channel-group 14 mode active
end -
Hyper-V port ACLs not accepted from VMM
I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
I try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
PowerShell terminal:
PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
80 "TCP" -Weight 1 -Stateful $true
And get the following:
Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
enabled on the operating system.
At line:1 char:1
+ Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
ion
+ FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
Any ideas?
SamGHi SamG,
Agree with the others .
Also you can use powershell "Enable-PSRemoting -force" on destination hyper-v server (The system will prompt you to confirm some settings during
the setup. Select A for Yes to All to confirm all of them.).
Then on your local computer run the follow powershell :
$cred = Get-Credential -Credential xxxxxx\administrator
(you need to enter the user name and password of the remote computer)
Enter-PSSession -ComputerName xxxxxx -Credential $cred
After that , maybe you can remote use powershell .
For details please refer to following links:
http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/17/learn-how-to-manage-remote-powershell-sessions.aspx
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Run port ACL command from SCVMM
I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
I
try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
PowerShell terminal:
PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
80 "TCP" -Weight 1 -Stateful $true
And
get the following:
Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
enabled on the operating system.
At line:1 char:1
+ Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
ion
+ FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
Any ideas? Is there a similar command for SCVMM?
SamGYou are running a Hyper-V cmlet, not an SCVMM cmdlet. Is the Hyper-V powershell module installed?
as far as I know, SCVMM does not support port ACLs at this time.
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Attempting change is of your own free will. -
how to find out after looking at the ACl that this is router acl and this is port acl.
is there is any syntax difference between these two acl's? or these two look the same.how to find out after looking at the ACl that this is router acl and this is port acl.
It depends on where the ACL is applied:
Layer-3 interface (SVI, routed port): Router ACL
Layer-2 interface (physical switch interfaces): Port ACL
is there is any syntax difference between these two acl's?
Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
Link: c3560 Configuring Network Security with ACLs -
ACL not working on 3750 Switch Stack on a trunk port
I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port. For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk. I have tried standard and extended list, but neither seem to work.
What am I doing wrong?
Access-List:
Standard IP access list 10
10 deny 10.101.15.13 log
20 permit any log
Access-List Interface:
interface GigabitEthernet7/0/10
description ESX Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,60-63
switchport mode trunk
ip access-group 10 in
Mac-Address on the Switch Port:
63 0050.569a.6d9f DYNAMIC Gi7/0/10
Windows Machine MAC:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
Windows Connection (which should be denied):
TCP 10.20.63.4:3389 10.101.15.13:21289 ESTABLISHED InHostPACL only apply to an L2 interface. On an L2 interface the only direction that can be applied is INBOUND. On an L3 interface INBOUND or OUTBOUND can be specified.
In any case, I have worked around the issue by applying VACLs. Marking this as resolved. -
3560 and 3750 - Question about 10/100/1000 ports
I am researching several Cisco products to recommend to a customer. I was wondering if the 10/100/1000 ports at a 3560 switch, will provide gigabit bandwith on each port or if the bandwidth is shared among several ports. The latter is how a 48 port 10/100/1000 line card would behave on a Cisco 4500 when, depending on the card, the gigabit bandwidth will be shared among 4 or 6 ports at a time.
What about 10/100/1000 ports on a 3750?
ThanksThe new Catalyst switches/modules such as the Catalyst 6500/6000, 4500/4000, 3550, and 2950 support 10/100/1000 Mbps negotiated Ethernet interfaces or ports. These ports work on 10Mbps, 100Mbps, or 1000 Mbps speed based on their connection to the other end. These 10/100/1000Mbps ports can be configured for speed and duplex negotiation in the same way as 10/100 Mbps ports on CatOS or Cisco IOS Software-based switches. Therefore, the configurations given in this document for 10/100Mbps port negotiation applies to 10/100/1000Mbps ports as well.
http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080094781.shtml -
I have 2 3750's that I have decided NOT to use stackwise. They are replacing 2 3550 switches that were connected via gigastack cable running HSRP. I am going to do the 3750's the same way.
Question 1: I did connect the switches via the stackwise cable to experiment. I have "write erased" both switches but they still seem to think they are connected via stackwise. Ports are numbered incorrectly for standalone. How do I get rid of this?
Question 2: The 2 3750's will uplink via copper crossover. What if anything do I lose not using the gigastack cable?1)You can use the switch renumber command. For example if all your interfaces have 2/0/x numbering and you want to change to 1/0/x, you can issue the following command
Stack1(config)#switch 2 renumber 1
WARNING: Changing the switch number may result in a
configuration change for that switch.
The interface configuration associated with the old switch
number will remain as a provisioned configuration.
Do you want to continue?[confirm]
Changing Switch Number 1 to Switch Number 2
New Switch Number will be effective after next reboot
2)The stackwise gives you a 32Gigabit backplane ring and offers higher resilience and ease of management. If I were you, I would use Stackwise. -
Using the USB port for an external HD dumb question
OK. Forgive a possibly really dumb question here...
My external HD has a USB 2.0 interface and I hooked it up to the USB port using a cable that came with an old USB 1 hub I'm not using right now.
My dumb question is this: is there such a thing as a USB 2.0 cable? Or are the USB cables all the same?
Also, how long should it be taking to transfer 12.1 GB of data (about 9,000 photos) from my external HD mounted on the AirMac base station to my MBP? There are still 48 minutes left and it seems an awfully long time for 12.1 GB of data. That's why I was wondering if the cable could be an issue...
Thanks,
dougI am suspecting now that my HD might really have been a USB 1.0 drive...
doug -
Cisco 3850 Switch Management Port - ACL on VTY
Hi,
I got these switches.
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24T 03.03.02SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.03.02SE cat3k_caa-universalk9 INSTALL
SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.16.12.3 255.255.255.0
negotiation auto
ip access-list standard ACLVTY
permit any log
line vty 0 4
access-class ACLVTY in
exec-timeout 15 0
length 0
history size 64
transport preferred ssh
transport input ssh
transport output telnet ssh
037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
# show ip access-list permit-any
Standard IP access list permit-any
10 permit any log (3 matches)
If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing.
Any ideas ?
Thanks,
Rick.Hi,
IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
So, you should get something like this:
line vty 0 4
access-class ACLVTY in vrf-also -
Does Cat6 SUP720 support port acl?
Hi
We have a network using Cat4 and Cat6 for server connections.
We have decided to use acl on the l2 ports to block certain traffics.
It works fine on the cat4, but it does not work on cat6.
Is it a supported feature on cat6?
ThanksHey,
Are you using Cat OS or IOS on Sup 720?
I think on Cat OS you cannot use the ACL on L2 ports.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_1/confg_gd/acc_list.htm#wp1020508
HTH,
-amit singh -
Catalyst 3560
I'm want to block one particular local IP address from communicating with a server on a switch port, but allow all other IP addresses to communicate with it. Here is the ACL on the port the server is on:
deny host 10.16.5.138
permit any
Everything gets blocked when I put this ACL in place. How should the ACL read so I can do what I want to do?Strange, this looks correct.
try :
permit any any
Does the 10.16.5.138 host get blocked at least ? -
Cisco 5520 ASA Port Forward to Endian Firewall VPN Question
Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
JoeWrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.
-
Fundamental ACL & Service Policy related questions
Hi All,
apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
I have a VERY simple topology like so
A few servers in this VLAN
ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
ASA5520 <--> Internal VLAN
With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
Thanks in advanceThe mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace". On goes to syslog, "no logging debug-trace" goes to console. I've been bit by this one myself.
ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else. On Catalyst switches port ACLs are inbound (receiving packets) only. Obviously, on directly connected devices, one devices out is the other devices in.
ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions. However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied. I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
-- Jim Leinweber, WI State Lab of Hygiene -
Nexus 1000v port-channels questions
Hi,
I’m running vCenter 4.1 and Nexus 1000v and about 30 ESX Hosts.
I’m using one system uplink port profile for all 30 ESX Host; On each of the ESX host I have 2 NICs going to a Catalyst 3750 switch stack (Switch A), and another 2 NICs going to another Catalyst 3750 switch stack (Switch B).
The Nexus is configured with the “sub-group CDP” command on the system uplink port profile like the following:
port-profile type ethernet uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1,800,802,900,988-991,996-997,999
switchport trunk native vlan 500
mtu 1500
channel-group auto mode on sub-group cdp
no shutdown
system vlan 988-989
description System-Uplink
state enabled
And the port channel on the Catalyst 3750 are configured like the following:
interface Port-channel11
description ESX-10(Virtual Machine)
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport trunk allowed vlan 800,802,900,988-991
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
end
interface GigabitEthernet1/0/18
description ESX-10(Virtual Machine)
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport trunk allowed vlan 800,802,900,988-991
switchport mode trunk
switchport nonegotiate
channel-group 11 mode on
spanning-tree portfast trunk
spanning-tree guard root
end
interface GigabitEthernet1/0/1
description ESX-10(Virtual Machine)
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport trunk allowed vlan 800,802,900,988-991
switchport mode trunk
switchport nonegotiate
channel-group 11 mode on
spanning-tree portfast trunk
spanning-tree guard root
end
Now Cisco is telling me that I should be using MAC pinning when doing a trunk to two different stacks , and that each interface on 3750 should not be configured in a port-channel like above, but should be configured as individual trunks.
First question: Is the above statement correct, are my uplinks configured wrong? Should they be configured individually in trunks instead of a port-channel?
Second questions: If I need to add the MAC pinning configuration on my system uplink port-profile can I create a new system uplink port profile with the MAC pinning configuration and then move one ESX host (with no VM on them) one at a time to that new system uplink port profile? This way, I could migrate one ESX host at a time without outages to my VMs. Or is there an easier way to move 30 ESX hosts to a new system uplink profile with the MAC Pinning configuration.
Thanks.Hello,
From what I understood, you have the following setup:
- Each ESX host has 4 NICS
- 2 of them go to a 3750 stack and the other 2 go to a different 3750 stack
- all 4 vmnics on the ESX host use the same Ethernet port-profile
- this has 'channel-group auto mode on sub-group cdp'
- The 2 interfaces on each 3750 stack are in a port-channel (just 'mode on')
If yes, then this sort of a setup is correct. The only problem with this is the dependance on CDP. With CDP loss, the port-channels would go down.
'mac-pinning' is the recommended option for this sort of a setup. You don't have to bundle the interfaces on the 3750 for this and these can be just regular trunk ports. If all your ports are on the same stack, then you can look at LACP. The CDP option would not be supported in the future releases. In fact, it is supposed to be removed from 4.2(1)SV1(2.1) but I still see the command available (ignore 4.2(1)SV1(4) next to it) - I'll follow up on this internally:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_2_1_1/interface/configuration/guide/b_Cisco_Nexus_1000V_Interface_Configuration_Guide_Release_4_2_1_SV_2_1_1_chapter_01.html
For migrating, the best option would be as you suggested. Create a new port-profile with mac-pinning and move one host at a time. You can migrate VMs off the host before you change the port-profile and can remove the upstream port-channel config as well.
Thanks,
Shankar
Maybe you are looking for
-
Hi all, I am trying to show an real time video. From my ip camera the sequence of images are stored in particular folder. Now i want to stream all images like video in my application. Have any ideas??????
-
How to set the default print format for the report
Hi, In ALV report , i want to defalut specific print format and printer for background processing . Any clues!!!!!!!!! Regards Swatantra
-
How to make the print command wait until form is rendered.
This is an ongoing issue that so far I haven't been able to figure out how to fix, so I'm hoping that someone will have a good idea or work around. I'm working in LiveCycle Designer ES v8. using JavaScript. I have to include a feature that allows the
-
Pdf report..need argent help pls....
hi everybody, Pls. tell me some solution of this problem i am really tired with this problem.I am using iText for pdf report.And using table in the report.But if i am printing 2 or 3 records,it's working fine but if i am printing record directly for
-
My brother borrows it and always adds music to it. I want to prevent this from happening.