cory_spence
asked on
Cisco Catalyst 3500XL - Access-list Question
Have a Cat3500XL running Version 12.0(5)WC10 and I want to apply inbound acl's by port. Is this possible? I can build the acl's, but can't seem to apply them to an interface. Is this a limitation of a layer 2 switch?
Thanks,
C
Thanks,
C
It sounds like you're trying to use Layer3 ACLs on a Layer2--as you said; however, the following link might help you to accomplish what you're attempting to accomplish: http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f242.html#xtocid5747
Are you looking for mac-based acls, or layer 3 IP access-lists?
I don't think that the 3500XL is capable of access-lists restrictions by interface
The 3550 is because it is a layer 3 device. The XL series are layer 2
I don't think that the 3500XL is capable of access-lists restrictions by interface
The 3550 is because it is a layer 3 device. The XL series are layer 2
ASKER
That's what I was afraid of. I've inherited the network admin position. Love that the previous guy had Windows machines hanging off the Internet completly exposed. What I wanted to do was replace the crappy Dell 16 port SOHO switch with a cat3500xl - so we can have a REAL switch with span-port capabilities. Thought while I was at it, could have some acl's in place to protect those outside machines. I've got a 3750 that I'll be freeing up soon, but I hate to use that switch for this. Any suggestions as to how I could protect those machines? Is the Microsoft TCP/IP filtering any good?
Thanks,
C
Thanks,
C
In the meantime, you can get a Linksys or Netgear firewall/router and put that in place.
Cheap, temporary solution so you can sleep.
Cheap, temporary solution so you can sleep.
>Is the Microsoft TCP/IP filtering any good?
Are you kidding? How many <critical> patches have come out this year alone?
I'd seriously consider a good firewall like a PIX 515 or something to put in front of these windows boxes. Even a Linksys SPI firewall would be better than 'bare naked' on the Internet..
Are you kidding? How many <critical> patches have come out this year alone?
I'd seriously consider a good firewall like a PIX 515 or something to put in front of these windows boxes. Even a Linksys SPI firewall would be better than 'bare naked' on the Internet..
Great minds think alike, right gpriceee?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No, no, don't get me wrong. MS TCP/IP filtering is not the long term solution. Just need to get some sleep, like gpricee said.
Got a PIX 525 setup like this:
INET ROUTER >>> DELL CRAP-A$$ Switch >>> PIX 525 OUTSIDE INT (public class c)
> SMTP/DNS/MISC >>> DMZ INT (another public class c)
>>> INSIDE INT (private class b)
So, how would I bring the outside stuff behind the pix? I want to throw it all in the DMZ, but I can't change the IP's of these boxes without some huge planning. I'm not crazy about doing the pix behind a pix either. Kinda stuck in that I don't want to change anything too drastically right now, but at the same time want to put SOME leve of protection in place.
I need to let this one soak a little.
C
Got a PIX 525 setup like this:
INET ROUTER >>> DELL CRAP-A$$ Switch >>> PIX 525 OUTSIDE INT (public class c)
> SMTP/DNS/MISC >>> DMZ INT (another public class c)
>>> INSIDE INT (private class b)
So, how would I bring the outside stuff behind the pix? I want to throw it all in the DMZ, but I can't change the IP's of these boxes without some huge planning. I'm not crazy about doing the pix behind a pix either. Kinda stuck in that I don't want to change anything too drastically right now, but at the same time want to put SOME leve of protection in place.
I need to let this one soak a little.
C
It should be:
INET ROUTER>>>PIX 525 OUTSIDE INT
>>>>DMZ
SMTP/DNS/MISC
>>>>INSIDE INT
LAN
Throw the boxes in the dmz, give them statics, and you won't have to change the IPs.
INET ROUTER>>>PIX 525 OUTSIDE INT
>>>>DMZ
SMTP/DNS/MISC
>>>>INSIDE INT
LAN
Throw the boxes in the dmz, give them statics, and you won't have to change the IPs.
ASKER
This would require that I change the IP addresses to get them into our DMZ class c, causing mucho breakage. I suppose I could translate from the Outside class c to our inside. Then, throw the cat3500 in there just for the span-port/sniffing.
Hmmmmm. Whad'ya think?
C
Hmmmmm. Whad'ya think?
C
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I see what you mean now. I could see this being the perfect solution in the long term, but doesn't really help out the situation I've got. Just want to get things secured while we plan out the year.
C
C
Then I'd do the cheap, temporary firewall off the the DELL CRAP_A$$ Switch
ASKER
Would that mess up my routing? If the PIX answers for the two public class c's and I throw another firewall in the mix, wouldn't that cause some confusion as to where the packets go - specifically to the outside class c?
What I may end up doing is throwing some acl's on the INET router to restrict what ports are open based on the IP addresses of these outside machines. May put a little more burden on the router, but 9 machines x 10 lines per each isn't too bad. Then I can gradually move them to the inside and translate everything to the outside.
What a mess.
What I may end up doing is throwing some acl's on the INET router to restrict what ports are open based on the IP addresses of these outside machines. May put a little more burden on the router, but 9 machines x 10 lines per each isn't too bad. Then I can gradually move them to the inside and translate everything to the outside.
What a mess.
Without knowing how you have everything routed, it's hard to answer.
If the pix has a route 0.0.0.0 0.0.0.0 to the router, you're going there to get back to the DELL anyway.
In the LAN, let everything through--then it really acts as a switch and not a firewall.
In the DMZ, setup the ACLs.
INET ROUTER >>> CHEAP FIREWALL w/DMZ
>>(ACLs)>>DMZ >>>>SMTP/DNS/MISC
>>(any any)>> LAN>>PIX 525 OUTSIDE INT (public class c)
>> DMZ INT (another public class c)
>> INSIDE INT (private class b)
DELL CRAP A$$ Switch (snack table)
If the pix has a route 0.0.0.0 0.0.0.0 to the router, you're going there to get back to the DELL anyway.
In the LAN, let everything through--then it really acts as a switch and not a firewall.
In the DMZ, setup the ACLs.
INET ROUTER >>> CHEAP FIREWALL w/DMZ
>>(ACLs)>>DMZ >>>>SMTP/DNS/MISC
>>(any any)>> LAN>>PIX 525 OUTSIDE INT (public class c)
>> DMZ INT (another public class c)
>> INSIDE INT (private class b)
DELL CRAP A$$ Switch (snack table)