VLAN's, subinterface, access-lists and 3560 catalyst switch?
Hi,
How can I isolate VLAN 121 from all others?
I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
The following VLANs configured on the switch:
VLAN 0 192.168.132.0 /24
VLAN 135 ..135.0 /24
VLAN 137 ..137.0 /24
VLAN 139 ..139.0.24 and lastly,
VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
I need some advice please. Here is my plan: to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
Thank you!
I will have to assume VLAN 0 is the native VLAN / default interface on the router? All VLANs are numbered native or not. Just ensure the VLAN numbering matches between the router and the trunking on the switch.
Yes, you could create a sub interface on the 2811 and use the router to route the VLAN. Apply an access list on the other interfaces to block access to the VLAN you want to protect. If you have routing enabled on the 3560 as well you would complicate the situation a bit more.
Please rate helpful posts! :-)
Similar Messages
-
Access List and Conflict Resolution Problem!
My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
Setting the Conflict Resolution Level
You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
So, I've set up my Access List services as follows:
o URL Deny is blank on all Access Lists
o URL Allow set as follows
---- isp
------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
---- acme.com organization
------- Conflict Resolution: Highest
------- http://portal.acme.com/portal/* (same as above)
---- Acme Customers Role - shared role for all Acme customers
------- Conflict Resolution: Medium
------- http://www.acme.com/*
------- http://support.acme.com/*
------- http://support2.acme.com/*
---- RoadRunner role - specific role for a specific customer
------- Conflict Resolution: Medium
------- http://roadrunnerinfo.acme.com/*
The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
Thanks!
-mattDid you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.
-
Mac access-list enable on catalyst 2924xl ??
Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
thanksHi,
2900/3500 xl's does not support ACL's.
regards,
-amit singh -
ACE access-list and Passive FTP
Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
access-list word line x extended permit tcp source destination eq 21
access-list word line y extended permit tcp source destination eq 20
With those lines I can establish an FTP session, but unable to transfer files.
With the following statement access-list word line x extended permit ip source destination, passive ftp works?
IS this because the ACE acl does not allow for stateful inspection of an FTP session?
Thank youYou are right lack of fixup/inspect is the reason for FTP connections to fail.
You need something in line with the following config
class-map match-all FTP-Traffic
2 match port tcp eq ftp
policy-map multi-match xyz
class FTP-Traffic
inspect ftp
Syed Iftekhar Ahmed -
Wireless Card Access List and Airport Extreme ?
I would like to know if there is a possility to restrict to specific MAC adresses the access to a Airport Extreme N base station wifi network .
ThanksAccess control MAC address filtering) provides no real security and could lull you into the feeling that your wireless network is secure.
The MAC addresses of connected clients are easily discovered and cloned. Furthermore, access control provides zero protection for the actual wireless traffic. Anyone (regardless of MAC address) can monitor the wireless traffic. -
Problem with access list in interface for Switch CORE
Hi,
End user wants to mirror its windows or Mac computer with airparrot. the TV is connect by wireless network and the user is connected in the guest
network (also wireless). I have a problem when I associate an ACL to inteface VLAN X in switch core, eventhough there is connectivity between the windows or Mac computer to the TV ( I allow in the ACL traffic for some specific devices to guest network), in airparrot is not shown the device so he can't mirrow his pc or Mac.
Does any of you know if for this kind of application will required some especial config for ACLs?
regardsRik,
I am not a huge fan of this solution but here ya go:
remove the with statements and replace table and column references according to your tables
LOV definition:
with fruit_lov_data as(
select 'Apple' fruit from dual union
select 'Mango' from dual union
select 'Pineapple' from dual union
select 'Apple, Mango, and Pineapple' from dual union
select 'Pineapple, Grapes' from dual union
select 'Grapes, Mango' from dual
select fruit d, replace(translate(fruit,', ',':'),':and',':') r
from fruit_lov_dataReport definition:
with fruits as(
select 'Apple' fruit from dual union all
select 'Grapes' fruit from dual union all
select 'Mango' from dual union all
select 'Pineapple' from dual
select *
from fruits
where (instr(':' || :P15_SELECT_LIST || ':', ':' || fruit || ':') > 0
or :P15_SELECT_LIST is null)there are potentially many flaws using the above code. One of which is a potential bug if there ever is a fruit that begins with 'and'. It is also dependant that 'and' is always in lowercase. of course you could upper both bind variable and column in your report.
Cheers,
Tyson Jouglet
Edited by: Tyson Jouglet on Jan 20, 2011 9:46 AM
Edited by: Tyson Jouglet on Jan 20, 2011 9:53 AM -
Access-list in Cisco 3560 Series Switch
Guys,
I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
Hope you can help me guys.
Thanks,
Johnand then dont forget to call this access-list on the interface or vlan you want to apply it.
You can use a number for the ACL > 100 or a name as indicated earlier.
If you go with just a number :
access-list 100 permit tcp any any eq 80 81 ...
access-list 100 permit udp any any eq 23
int g1/0/1
ip access-group NAME in
OR
ip access-group 100 in
As for example :
NMS-3750-A(config-if)#ip acc
NMS-3750-A(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name -
Hi
I have 2 vlan : 192.168.38.0 and 192.168.31.0.
In the 38.0 network, I have an exchange server.
And in the 31.0 network, I have a clients(microsoft outlook).
The pb is when i configure the access-list, the client start a 135 port communication but it don't have an answer.
But if i open the all port, it's Ok.
Here, my access-list.
Could you confirm if it's ok
in advance, Thank you
access-list 131 remark sur interface vlan 31 Client NB
access-list 131 permit ip any 192.168.31.0 0.0.0.255
access-list 131 permit tcp any host 192.168.38.203 eq 135
access-list 131 permit icmp any 192.168.38.0 0.0.0.255
access-list 131 deny ip any any
access-list 138 remark sur interface vlan 38 Bureautique
access-list 138 permit ip any 192.168.38.0 0.0.0.255
access-list 138 permit icmp any 192.168.31.0 0.0.0.255
access-list 138 deny ip any anyHi,
Thank you very much.
When i see with the ethereal soft, the client need to open a range port(>1024).
Please give me the access-list
In advance thanks!! -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Hi,
I was wondering what was the best practice for the access-list's on the Cisco ACE.
Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:
access-list ANY line 10 extended permit ip any any
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input ANY
service-policy input EXCH-DMZ-OUT
Or should we also also the access-list for the access-group in the interface as seen bellow:
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input EXCH-DMZ-INTERNET-OUT
service-policy input EXCH-DMZ-OUT
Regards,Hello,
I don't think you'll find a "best practice" for this scenario. It really just comes down to meeting your needs. The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not. The second way will only allow NAT'd traffic, and deny all others.
Hope this helps,
Sean -
On my Cat6500 do I need to do create an access-list to allow MGCP traffic on ports 2427 and 2727 through? I know this sounds dumb but for some reason on my Allied switch MGCP traffic flow fine with no access list and it doesn't on the Cat6500.
Thanks!u dont unless u have FWSM, or any kind of ACLs, or maybe VLANs issue, or ip routing, vlan routing
check those issues
Rate if helpful -
MAC access-list on switching platforms
Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtmlMac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface. -
Flexconnect AP - dynamic VLAN and local/central switched via radius possible?
Hello at all,
is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
To be more detailed:
At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
Thank you,
ChristianHi Christian.
This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
"From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
FlexConnect VLAN Central Switching Summary
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
•If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
•If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
Enjoy your weekend & I am sure you will be able to get this working.
HTH
Rasika
*** Pls rate all useful responses **** -
MS Access, SharePoint and Security
Let's say I sign up for Office 365.
I use the SharePoint Site that comes with it to house my MS Access Lists and my compiled database *.accmde file.
Can I set up a separate sub-site with only admin access to house a list of userID's and passwords so that when the user runs the database, it looks up this list and identifies the user, type of user, and which filter for the data in the full access sites.
If that works, then I would also want to put the data in a limited sub-site and have the accmde file retrieve that data behind the scenes. I would like to limit accidental access to the data if at all possible.
Any suggestions on how to design the tool for this?
FrankHi FrankHayAlexcander
It seems you have the following questions about hosting Access data on Office 365
Can Access connect to multiple SharePoint sub-site?
Can you store User info in one sub-site to control what data the user sees?
Can you hide these sub-sites so that users can't accidentally see this data?
The short answer is that I'm not sure that what you are trying to do is even possible in a Web database published to SharePoint, and certainly would be very difficult in a traditional database.
If you create a Web database in Access 2010 and publish it to SharePoint, then it is limited to the tables / SharePoint Lists in that sub-site.
In this case the credentials of the user are passed to SharePoint to retrieve data. This means that to read the list the user would have to have permissions and so they could go out the site directly and see the same data.
Using SharePoint permissions you could control what the user can see, but Access isn't going to be able to add much to that.
If you create a traditional database, then you can link to lists in multiple SharePoint site as well as other providers like SQL, and Excel.
When you created the link table here you have the option to store the credentials with the linked table.
If you do not store the credentials the user will be prompted for the credentials to use.
You could store the credentials for an Admin user when you link the table, but the problem is that if a user opens your database in the full version of Access can get to the linked tables, they will be able to see all of the data anyway.
When it comes to security, the best answer is always to secure the data using the native features of the data store such as SharePoint, SQL, etc.
Best Regards,
Nathan Ost
Microsoft Online Community Support
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Time Capsule Access Control and Extended Network Question
I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
Thanks for any help…this doesn't seem clear from what I've read/seen.
JamesI have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
Unfortunately, they are not automatically applied to each base station in an extended network. You would have to manually enter the exact same list in each base station.
Maybe you are looking for
-
Upgrade Memory on 2009 4 core Mac Pro - Max? Non-ECC?
I've been doing research on what I can do to upgrade my RAM on my Mac Pro and I think I did something I wasn't supposed to do a while back. During my last upgrade adventure, I apparently purchased and installed a 2GB stick of Non-ECC (PC3-8500 1066MH
-
Movie not playing correctly in itunes
Trying to play purchased movie from Itunes. After about 10 minutes of play the display on laptaop begins to flash like a strob light unable to watch movie. This is only happening in Itunes with purchased movies. Apple support says may be a microso
-
Firefox 10 ESR causing Quicktime 7.6.6 plug-in to fail on Mac OS 10.6.8
We have upgraded a number of our machines from Firefox 3.6 to 10 ESR. Firefox will now hang / crash when trying to load a quicktime movie in the browser. This only happens on the 10.6 machines
-
Camera raw for sony alpha 7 and PS 5
HI I am an amateur photographer and am very happy in my little PS5 world. I do not want to commit to PS6 and the CC and a lifetime of fees. I am, unfortunately, thinking about getting the sony alpha 7. It is unclear to me if camera raw 6.7 will su
-
How to know Functionalilty of Function Module
Hi all, I have found a Function Module use in one of the report program 'RPY_FUNCTIONMODULE_READ' However I don't know the functionlity of this FM. There is no Function Module Documentation available. how do i go about it.