?
Solved

Cisco Catalyst 3500XL - Access-list Question

Posted on 2005-04-19
15
Medium Priority
?
712 Views
Last Modified: 2013-11-16
Have a Cat3500XL running Version 12.0(5)WC10 and I want to apply inbound acl's by port.  Is this possible?  I can build the acl's, but can't seem to apply them to an interface.  Is this a limitation of a layer 2 switch?

Thanks,
C
0
Comment
Question by:cory_spence
  • 7
  • 5
  • 3
15 Comments
 
LVL 13

Expert Comment

by:gpriceee
ID: 13815203
It sounds like you're trying to use Layer3 ACLs on a Layer2--as you said; however, the following link might help you to accomplish what you're attempting to accomplish: http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f242.html#xtocid5747
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13818189
Are you looking for mac-based acls, or layer 3 IP access-lists?
I don't think that the 3500XL is capable of access-lists restrictions by interface
The 3550 is because it is a layer 3 device. The XL series are layer 2
0
 

Author Comment

by:cory_spence
ID: 13818597
That's what I was afraid of.  I've inherited the network admin position.  Love that the previous guy had Windows machines hanging off the Internet completly exposed.  What I wanted to do was replace the crappy Dell 16 port SOHO switch with a cat3500xl - so we can have a REAL switch with span-port capabilities.  Thought while I was at it, could have some acl's in place to protect those outside machines.  I've got a 3750 that I'll be freeing up soon, but I hate to use that switch for this.  Any suggestions as to how I could protect those machines?  Is the Microsoft TCP/IP filtering any good?

Thanks,
C
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 13

Expert Comment

by:gpriceee
ID: 13818615
In the meantime, you can get a Linksys or Netgear firewall/router and put that in place.
Cheap, temporary solution so you can sleep.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13818623
>Is the Microsoft TCP/IP filtering any good?
Are you kidding? How many <critical> patches have come out this year alone?

I'd seriously consider a good firewall like a PIX 515 or something to put in front of these windows boxes. Even a Linksys SPI firewall would be better than 'bare naked' on the Internet..

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13818628
Great minds think alike, right gpriceee?
0
 
LVL 13

Assisted Solution

by:gpriceee
gpriceee earned 1000 total points
ID: 13818676
Ha!
Same page.
Along the pix line, if it's simply temporary, and you need a quick fix, the 501 is cheap and has the pix feature set: no DMZ though.
0
 

Author Comment

by:cory_spence
ID: 13818759
No, no, don't get me wrong.  MS TCP/IP filtering is not the long term solution.  Just need to get some sleep, like gpricee said.

Got a PIX 525 setup like this:

INET ROUTER >>> DELL CRAP-A$$ Switch >>> PIX 525 OUTSIDE INT (public class c)
                             > SMTP/DNS/MISC                   >>> DMZ INT (another public class c)
                                                                                    >>> INSIDE INT (private class b)

So, how would I bring the outside stuff behind the pix?  I want to throw it all in the DMZ, but I can't change the IP's of these boxes without some huge planning.  I'm not crazy about doing the pix behind a pix either.  Kinda stuck in that I don't want to change anything too drastically right now, but at the same time want to put SOME leve of protection in place.

I need to let this one soak a little.
C
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13818798
It should be:

INET ROUTER>>>PIX 525 OUTSIDE INT
                           >>>>DMZ
                                  SMTP/DNS/MISC
                         
                            >>>>INSIDE INT
                                         LAN

Throw the boxes in the dmz, give them statics, and you won't have to change the IPs.
0
 

Author Comment

by:cory_spence
ID: 13818978
This would require that I change the IP addresses to get them into our DMZ class c, causing mucho breakage.  I suppose I could translate from the Outside class c to our inside.  Then, throw the cat3500 in there just for the span-port/sniffing.  

Hmmmmm.  Whad'ya think?

C
0
 
LVL 13

Accepted Solution

by:
gpriceee earned 1000 total points
ID: 13819008
I'd still have them in a DMZ.  Can you just throw another DMZ into the 525?
0
 

Author Comment

by:cory_spence
ID: 13819070
I see what you mean now.  I could see this being the perfect solution in the long term, but doesn't really help out the situation I've got.  Just want to get things secured while we plan out the year.

C
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13819082
Then I'd do the cheap, temporary firewall off the the DELL CRAP_A$$ Switch
0
 

Author Comment

by:cory_spence
ID: 13819155
Would that mess up my routing?  If the PIX answers for the two public class c's and I throw another firewall in the mix, wouldn't that cause some confusion as to where the packets go - specifically to the outside class c?  

What I may end up doing is throwing some acl's on the INET router to restrict what ports are open based on the IP addresses of these outside machines.  May put a little more burden on the router, but 9 machines x 10 lines per each isn't too bad.  Then I can gradually move them to the inside and translate everything to the outside.

What a mess.

0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13819254
Without knowing how you have everything routed, it's hard to answer.  
If the pix has a route 0.0.0.0 0.0.0.0 to the router, you're going there to get back to the DELL anyway.

In the LAN, let everything through--then it really acts as a switch and not a firewall.
In the DMZ, setup the ACLs.

INET ROUTER >>> CHEAP FIREWALL w/DMZ
                                     >>(ACLs)>>DMZ >>>>SMTP/DNS/MISC                  
                                     >>(any any)>> LAN>>PIX 525 OUTSIDE INT (public class c)
                                                                             >> DMZ INT (another public class c)
                                                                             >> INSIDE INT (private class b)

DELL CRAP A$$ Switch (snack table)
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question