Router ACL and Port ACL

how to find out after looking at the ACl that this is router acl and this is port acl.
is there is any syntax difference between these two acl's? or these two look the same.

how to find out after looking at the ACl that this is router acl and this is port acl.
It depends on where the ACL is applied:
Layer-3 interface (SVI, routed port): Router ACL
Layer-2 interface (physical switch interfaces): Port ACL
is there is any syntax difference between these two acl's?
Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
Link: c3560 Configuring Network Security with ACLs

Similar Messages

  • Port-ACL's on a 3750 - question

    I have a 3750 that is connected to another network via a layer-2 type connection. I have a specific set of tcp and udp ports that I want to allow access to via this switch. In taking a look at the documentation I see that I can apply Port ACL's directly to layer-2 interfaces, but that it will only work "inbound" to the switch.
    Will this work:
    If I have (bad ascii net diagram):
    [hosta]--[rtr]--[switcha]-WAN-[switchb]
    I want to put an ACL on the l2 uplink from switchB to the wan (WAN is a metro-ethernet type l2 wan extension - rtr is a router) that only allows hosta to hit tcp ports 1000,2000 and 3000 on hosts sitting on switchb. I want to allow hosts on switchb to do whatever they want to hosta. Is it as simple as:
    ip access-list 101 permit tcp any any eq 1000
    ip access-list 101 permit tcp any any eq 2000
    ip access-list 101 permit tcp any any eq 3000
    and then applying that ACL onto the l2 uplink interface on switchb? Thinking that since Port ACL's only affect "inbound" direction - allowing inbound connections on the l2 uplink gets the packets onto my hosts on switchb, and there is nothing preventing the return traffic or new tcp connections from hosts on switchb -> hosta...?
    Thanks!
    -Frank

    Yes frank, Your idea seems to be okei.
    As per document, You can configure only one type of per-user ACLs on a Catalyst 3750 switch port: router ACLs or port ACLs. Router ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port. However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL overwrites the router ACL.
    while applying to the interface connecting to l2 port give "in" direction, but anyway out is not supported in l2 interfaces.
    so nothing looks preventig the return traffic.

  • ACL and performance

    Hi,
    I have CSS 11503 without SSL module (CSS11503-AC J0)
    I have to know something:
    Customer needs to prevent servers behind LB (means service). In able to do this they want to limit connection to VIP.
    As summary they want that only some IP:Port pair can reach to VIP.
    To do this I think I have to use ACL and 1 ACL has 20-25 clauses. And maybe I have to add some new ACL.
    So the question is:
    This ACL how affect the performance of CSS ?
    How many degrees degrade performance percentage briefly?

    ACL with only permit|deny clauses are all performed in hardware and therefore the impact on the performance is null or almost null.
    If you have ACL to allow some source nating or select of a prefered gateway or service, these are done in software and will have an impact that I can't unfortunately quantified since this is really dependent on the config and traffic.
    Gilles.

  • How to fiter packet in router exept the acl and firewall?

    Subject is intact.
    I found something interesting while trying to perform a process.
    To be filtered by the ICMP protocol, where the ACL and Firewall, was that you should not use it.
    But no matter how these ideas to Google, there was no answer to this.
    Please share reference about this or more keywords, and your knowledge.

    you are not clear on what you are trying to do.. 
    You want to block all icmp without using access-lists? 
    I think an intrusion prevention system is a very expensive solution for this.. 
    technically any device that can drop traffic is a firewall. So I don't see much other option for you. You could use a linux box running ip tables to do the same thing however that is still a firewall.. 

  • Who needs the ACLs and static NAT?

    I came apon a job whose network layout is kind of tricky. Here is the skinny:
    2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
    All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
    Now heres what I am trying to accomplish:
    The customer wants to be able to telnet into one machine in the private network from her house.
    Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
    Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
    I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
    Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
    Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!

    I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
    Here's what I have right now:
    SBC router is configured to allow Telnet traffic in.
    The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
    Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in.

  • Extended acl - multiple ports on same acl line

    hello
    i'm working on a (long) acl and have started looking at putting multiple ports on the same line
    e.g.
    instead of:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80
    permit tcp any host 10.10.10.1 eq 443
    i'd use:
    ip access-list extended test3
    permit tcp any host 10.10.10.1 eq 80 443
    its shortening the acl considerably but the question is:
    does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
    what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
    thanks
    andy

    Hello
    No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
    Cisco3750#show platform tcam utilization
    CAM Utilization for ASIC# 0                      Max            Used
                                                             Masks/Values    Masks/values
    IPv4 security aces:                          1024/1024         33/33
    Note: Allocation of TCAM entries per feature uses
    a complex algorithm. The above information is meant
    to provide an abstract view of the current TCAM utilization
    As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
    thanks
    Andy

  • I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

    Understanding  ISE and dACL.
     I don't understand correlation between ACL and dACL.
     If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
     Regards,
    Vice

    Hi,
    Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
    Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
    When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

  • ACL and sequence numbers

    I had the first two lines in the access list and all was well, I then added the 3rd. From what I need to put the 3rd entry (deny host 10.1.30.51) after the second entry and before the permit any. Even though I created sequence numbers in order of the 3 entries (10,20,30) the sequence numbers didnt put them in order and they dont even show up in the show run. What went wrong? How is it possible to edit an acl without sequence numbers also?
    Cause if I had:
    10 deny x.x.x.x
    20 deny x.x.x.x
    30 permit any
    Then I could add say 15 deny x.x.x.x, but now I cant and I dont even know what happened to the sequence numbers when I created them.
    Thanks.
    Standard IP access list 1
        deny host 10.1.30.50 (4 match(es))
        permit any (8 match(es))
        deny host 10.1.30.51
    Router#

    Hi Milan,
    Sequence numbers are indeed not supported if you define a numbered access list. With both standard and extended numbered ACLs, however, it is possible to do a trick: if you refer to them as named ACLs (use their number as their name), you actually are able to use the sequence numbers.
    For example:
    R1(config)# do show run | i access-listaccess-list 1 deny   192.0.2.1access-list 1 permit anyaccess-list 100 deny   ip host 192.0.2.1 anyaccess-list 100 permit ip any anyR1(config)# do show ip access-lStandard IP access list 1    10 deny   192.0.2.1    20 permit anyExtended IP access list 100    10 deny ip host 192.0.2.1 any    20 permit ip any anyR1(config)# ip access-list standard 1R1(config-std-nacl)# 15 deny 192.0.2.15R1(config-std-nacl)# exitR1(config)# do show access-listStandard IP access list 1    10 deny   192.0.2.1    15 deny   192.0.2.15    20 permit anyExtended IP access list 100    10 deny ip host 192.0.2.1 any    20 permit ip any anyR1(config)# ip access-list extended 100R1(config-ext-nacl)# 15 deny ip host 192.0.2.15 anyR1(config-ext-nacl)# exitR1(config)# do show access-lStandard IP access list 1    10 deny   192.0.2.1    15 deny   192.0.2.15    20 permit anyExtended IP access list 100    10 deny ip host 192.0.2.1 any    15 deny ip host 192.0.2.15 any    20 permit ip any any
    The router is even smart enough to disallow to refer to a named ACL whose name is a number of the opposite type than stated on the command line:
    R1(config)# ip access-list standard 101% % Invalid access list name.R1(config)# ip access-list extended 2% % Invalid access list name.
    What Collin may have in mind, though, is that host entries in standard ACLs are reorganized to a different order than entered:
    R1(config)# ip access-list standard TestR1(config-std-nacl)# permit 10.0.0.1R1(config-std-nacl)# deny 10.0.0.2R1(config-std-nacl)# permit 10.0.0.3R1(config-std-nacl)# deny 10.0.0.4R1(config-std-nacl)# permit 10.0.0.5R1(config-std-nacl)# deny 10.0.0.6R1(config-std-nacl)# permit 10.0.0.7R1(config-std-nacl)# deny 10.0.0.8R1(config-std-nacl)# permit anyR1(config-std-nacl)#exitR1(config)# do show access-list TestStandard IP access list Test    80 deny   10.0.0.8    20 deny   10.0.0.2    30 permit 10.0.0.3    10 permit 10.0.0.1    60 deny   10.0.0.6    70 permit 10.0.0.7    40 deny   10.0.0.4    50 permit 10.0.0.5    90 permit anyR1(config)# do show run | section Testip access-list standard Test deny   10.0.0.8 deny   10.0.0.2 permit 10.0.0.3 permit 10.0.0.1 deny   10.0.0.6 permit 10.0.0.7 deny   10.0.0.4 permit 10.0.0.5 permit any
    This reordering happens only with standard ACLs and is a result of indexing the host entries in the ACL into a hash table (the hash function being XOR of individual octets of the IP address in the host entry) for faster access. When printing out the ACL, first the host items are printed out in the order they are stored in the hashing table, and only then the remaining entries that use wildcards. Wildcard entries are not reordered.
    The funny thing is that the ACL is actually even stored in the configuration in the reordered form, and thus evaluated in a reordered form, which can be confusing. However, you may have noticed that the router will prohibit you from entering a host ACL after entering a wildcard ACL that also matches the IP address in a wildcard entry:
    R1(config)# ip access-list standard Test2R1(config-std-nacl)# permit 10.0.1.0 0.0.0.255R1(config-std-nacl)# deny 10.0.1.1% Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num 10R1(config-std-nacl)#
    Why is this? Obviously, a host entry can  either select the same action for a packet that would be taken by a more  general wildcard entry (in which case it is not necessary for the  host entry to be entered at all), or  it can override the action that would be chosen by a more general  wildcard entry. In this second case, it is necessary for this host entry  to be placed in the ACL first, otherwise it would never be reached. Ordering of host entries themselves can be arbitrary, as they do not influence each other.  This leads us to a general logic in standard ACLs - it is required to put  all host entries first, and wildcard entries last. Now it is completely logical to visit all host entries first (indexed by a hash for rapid access), and then visit the wildcard entries.
    Quite a long post... sorry for that. Hopefully, we've resolved some of the doubts.
    Best regards,
    Peter

  • RVS4000 IP Based ACL and NAT

    Hi,
    I'm having an issue with a Linksys RVS4000 which doesn't appear to be behaving as I think it should.
    I need to forward a port (Single Port Forwarding) through to an internal NAT host. However, I only want that host/port to be accessible from one host on the internet, for security reasons.
    I have created the port forwarding entry and this works fine. I then created two rules in IP Based ACL - one to block all access to that port from the WAN interface and one to allow access from a single host.
    However, it appears that when a port forwarding entry is added, it will completely bypass the ACL and allow all traffic for that port/host by default.
    Is this the correct behaviour?
    Firmware version is v1.2.11
    Regards,
    Adam

    Hi,
    Thank you for replying. However I have already tried as you have suggested and it is still not working.
    My Single Port Forwarding looks like this:
    Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes
    My rules in IP Based ACL look like this (columns from left to right):
    1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day  
    2 YES Deny SMTP WAN ANY ANY Any Time Every Day 
    My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.

  • Hyper-V port ACLs not accepted from VMM

    I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
    I try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
    PowerShell terminal:
    PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
    80 "TCP" -Weight 1 -Stateful $true
    And get the following:
    Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
    enabled on the operating system.
    At line:1 char:1
    + Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
       ion
        + FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
    Any ideas?
    SamG

    Hi SamG,
    Agree with the others .
    Also you can use powershell "Enable-PSRemoting -force" on destination hyper-v server (The system will prompt you to confirm some settings during
    the setup. Select A for Yes to All to confirm all of them.).
    Then on your local computer run the follow powershell :
    $cred = Get-Credential -Credential xxxxxx\administrator
    (you need to enter the user name and password of the remote computer)
    Enter-PSSession -ComputerName xxxxxx -Credential $cred
    After that , maybe you can remote use powershell .
    For details please refer to following links:
    http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/17/learn-how-to-manage-remote-powershell-sessions.aspx
    Best Regards
    Elton Ji
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Run port ACL command from SCVMM

    I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
    I
    try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
    PowerShell terminal:
    PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
    80 "TCP" -Weight 1 -Stateful $true
    And
    get the following:
    Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
    enabled on the operating system.
    At line:1 char:1
    + Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
       ion
        + FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
    Any ideas? Is there a similar command for SCVMM?
    SamG

    You are running a Hyper-V cmlet, not an SCVMM cmdlet.  Is the Hyper-V powershell module installed?
    as far as I know, SCVMM does not support port ACLs at this time.
    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

  • Extended ACL and FTP

    We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
    permit tcp any any established

    Maybe this link should help.
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
    Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
    So instead you use
    access-list 100 permit tcp any host 192.168.1.100 gt 1023
    You should use
    access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
    But, in my opinion, from the server's view, active FTP is more secure than passive.
    Hope this helps

  • ACL and HSRP

    Nexus 5596UP
    Regarding RACLs and HSRP
    How many HSRP groups does the Layer3 module support ?
    The Layer 3 module supports 2048 Racls .. What does that mean`?
    Is that the number of entries or the number of acls its supports ( and the acl can be as big as you want? )
    Iam looking at but it dont quite understand it...
    http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-682225.pdf
    Best Recards
    Thomas
    Zitcom A/S

    Not true. You example is 2 RACL. Please see the following output:
    switch# sh run int e1/1
    !Command: show running-config interface Ethernet1/1
    !Time: Fri Aug 19 01:20:56 2011
    version 5.0(3)N1(1a)
    interface Ethernet1/1
      ip access-group test in
      no switchport
      ip address 1.1.1.1/24
    switch# sh run | sec access-list
    ip access-list test
      10 permit ip 1.1.1.1/32 2.2.2.2/32
      20 permit ip 2.2.2.2/32 3.3.3.3/32
      30 permit ip 3.0.0.0 255.0.0.0 1.0.0.0/24
    switch# sh ip access-list sum
    IPV4 ACL test
            Total ACEs Configured: 3
            Configured on interfaces:
                    Ethernet1/1 - ingress (Router ACL)
            Active on interfaces:
                    Ethernet1/1 - ingress (Router ACL)
    HTH,
    jerry

  • UCCE 7.5.1 - CTI Route Point and CTI Ports not registering in UCM 7.1

    We are in a middle of a new installation of UCCE 7.5.1. The customer will use it only for Outbound calls. The design is to have on PROGGER and one AW, with a cluster of two CallManagers. All the setup has finished regarding the UCCE. Also, the CallManagers have been configured, regarding the CTI Route Point and the CTI Ports. All of these are associated with the PG USER which is CTI Enabled. Configuration on UCCE has been done, including the DIALER, except for the agents and the campaigns.
    The problem is that the CTI Route Point and the CTI Ports on CallManager are not registering. Is this normal, since the agents and the campaigns have not been configured yet or there is an error somewhere?

    Looks fine.
    Is the Dialer running? Maybe those 30VIP phones the Dialer uses as ports to dial from won't be registered until the Dialer starts.
    But they should also be registered if you start dialogictest over the full set.
    What's the "route point". Who asks for it? Is it a dialed number that runs a script?
    Regards,
    Geoff

  • XSAN, ACLs and new OD users.

    I have xSAN FS with enabled ACLs and OD.
    If i create ACL for existing folders and assign groupe(A) permissions to it. Rules work perfect. But only for usesr in this group (A) which was added before ACL was assigned.
    If i create new OD user and add it into group A after ACLs was configured. User have no group permisions to this folder.
    Anybody meet this issue?

    So do you want to have this new server running alongside the old one - or set up the new server for a subset of users and then decommission the SL server? If alongside, is it for redundancy or to provide a sperate set of services for a subset of users?
    If alongside for redundancy, thne it makse sense to let it use the existing OD.
    If it's for one of the other purposes, you'll need to:
    1. Set the new server up in islation from the old one (this allows you to create a new OD master)
    2. Configure services
    3. If you need to copy/move user data from the SL server, you'll have to take services on the SL server offline for the time it takes to copy/move.

Maybe you are looking for

  • Removing crop/reg marks from PDF

    I'm using Acrobat 8 Pro. I need to place individual pages from a PDF (for which I do not have -- and cannot get -- the native files) in an InDesign document. I need to remove the crop marks and registration marks from the PDF pages. (They weren't off

  • Unable to send just one e-mail when more are defined.

    Hello, Version of the database you are using: 10 Version of Application Express: 4.0.2.00.07 Problem Process: Send E-Mail I have a form that has data entered onto it 3 different time by 2 different people with an e-mail that needs to be sent after ea

  • How can I center a frame ?

    I created a 820x480 frame and want to center it in my screen. Is there an easy option or do I have to retrieve the screen's x and y coordinates first ??? cheers, Anne

  • Element 3D not showing up

    i am trying to use a model from element 3D and according to everywhere i have checked when i click OK in the scence setup it should bring the model into the AE preview window, but when i click OK it takes me back into AE and just displays a black scr

  • Scope with Variables

    Just a very basic question I have NOT yet managed to get through all of the stuff contained in the manuals but does JavaScript have such a thing? Im eager to start trying to convert some of my AppleScripts to JavaScript as a learning exercise and hav