Cisco Catalyst 3500XL - Access-list Question

Have a Cat3500XL running Version 12.0(5)WC10 and I want to apply inbound acl's by port.  Is this possible?  I can build the acl's, but can't seem to apply them to an interface.  Is this a limitation of a layer 2 switch?

Thanks,
C
cory_spenceAsked:
Who is Participating?
 
gpriceeeCommented:
I'd still have them in a DMZ.  Can you just throw another DMZ into the 525?
0
 
gpriceeeCommented:
It sounds like you're trying to use Layer3 ACLs on a Layer2--as you said; however, the following link might help you to accomplish what you're attempting to accomplish: http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f242.html#xtocid5747
0
 
lrmooreCommented:
Are you looking for mac-based acls, or layer 3 IP access-lists?
I don't think that the 3500XL is capable of access-lists restrictions by interface
The 3550 is because it is a layer 3 device. The XL series are layer 2
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
cory_spenceAuthor Commented:
That's what I was afraid of.  I've inherited the network admin position.  Love that the previous guy had Windows machines hanging off the Internet completly exposed.  What I wanted to do was replace the crappy Dell 16 port SOHO switch with a cat3500xl - so we can have a REAL switch with span-port capabilities.  Thought while I was at it, could have some acl's in place to protect those outside machines.  I've got a 3750 that I'll be freeing up soon, but I hate to use that switch for this.  Any suggestions as to how I could protect those machines?  Is the Microsoft TCP/IP filtering any good?

Thanks,
C
0
 
gpriceeeCommented:
In the meantime, you can get a Linksys or Netgear firewall/router and put that in place.
Cheap, temporary solution so you can sleep.
0
 
lrmooreCommented:
>Is the Microsoft TCP/IP filtering any good?
Are you kidding? How many <critical> patches have come out this year alone?

I'd seriously consider a good firewall like a PIX 515 or something to put in front of these windows boxes. Even a Linksys SPI firewall would be better than 'bare naked' on the Internet..

0
 
lrmooreCommented:
Great minds think alike, right gpriceee?
0
 
gpriceeeCommented:
Ha!
Same page.
Along the pix line, if it's simply temporary, and you need a quick fix, the 501 is cheap and has the pix feature set: no DMZ though.
0
 
cory_spenceAuthor Commented:
No, no, don't get me wrong.  MS TCP/IP filtering is not the long term solution.  Just need to get some sleep, like gpricee said.

Got a PIX 525 setup like this:

INET ROUTER >>> DELL CRAP-A$$ Switch >>> PIX 525 OUTSIDE INT (public class c)
                             > SMTP/DNS/MISC                   >>> DMZ INT (another public class c)
                                                                                    >>> INSIDE INT (private class b)

So, how would I bring the outside stuff behind the pix?  I want to throw it all in the DMZ, but I can't change the IP's of these boxes without some huge planning.  I'm not crazy about doing the pix behind a pix either.  Kinda stuck in that I don't want to change anything too drastically right now, but at the same time want to put SOME leve of protection in place.

I need to let this one soak a little.
C
0
 
gpriceeeCommented:
It should be:

INET ROUTER>>>PIX 525 OUTSIDE INT
                           >>>>DMZ
                                  SMTP/DNS/MISC
                         
                            >>>>INSIDE INT
                                         LAN

Throw the boxes in the dmz, give them statics, and you won't have to change the IPs.
0
 
cory_spenceAuthor Commented:
This would require that I change the IP addresses to get them into our DMZ class c, causing mucho breakage.  I suppose I could translate from the Outside class c to our inside.  Then, throw the cat3500 in there just for the span-port/sniffing.  

Hmmmmm.  Whad'ya think?

C
0
 
cory_spenceAuthor Commented:
I see what you mean now.  I could see this being the perfect solution in the long term, but doesn't really help out the situation I've got.  Just want to get things secured while we plan out the year.

C
0
 
gpriceeeCommented:
Then I'd do the cheap, temporary firewall off the the DELL CRAP_A$$ Switch
0
 
cory_spenceAuthor Commented:
Would that mess up my routing?  If the PIX answers for the two public class c's and I throw another firewall in the mix, wouldn't that cause some confusion as to where the packets go - specifically to the outside class c?  

What I may end up doing is throwing some acl's on the INET router to restrict what ports are open based on the IP addresses of these outside machines.  May put a little more burden on the router, but 9 machines x 10 lines per each isn't too bad.  Then I can gradually move them to the inside and translate everything to the outside.

What a mess.

0
 
gpriceeeCommented:
Without knowing how you have everything routed, it's hard to answer.  
If the pix has a route 0.0.0.0 0.0.0.0 to the router, you're going there to get back to the DELL anyway.

In the LAN, let everything through--then it really acts as a switch and not a firewall.
In the DMZ, setup the ACLs.

INET ROUTER >>> CHEAP FIREWALL w/DMZ
                                     >>(ACLs)>>DMZ >>>>SMTP/DNS/MISC                  
                                     >>(any any)>> LAN>>PIX 525 OUTSIDE INT (public class c)
                                                                             >> DMZ INT (another public class c)
                                                                             >> INSIDE INT (private class b)

DELL CRAP A$$ Switch (snack table)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.