Solved

Please help with access-list on a 3500 series cat?

Posted on 2007-11-21
13
365 Views
Last Modified: 2012-06-27
Hello Experts,

I would really like some advice on how to create an access list that will provide the following:

Provide DNS and DHCP from one subnet  to 5 boxes on their own vlan
pc's have Full access to one server eg "server 1"
PC are denied access to another specific "server 2", and everything else.

For example purposes I will use ip addresses 10.10.10.10 for "server 1", and 10.100 for "server 2"
the PC's will have 192.168.1.1 through 5 for ip's. The DHCP and DNS server will be 192.168.1.100.

I have been reading some of the other entries in this forum, but I could benefit from some specific advice.

thanks
In advance
Ben

0
Comment
Question by:workcover
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20332600
First no access list will have any effect on traffic the remains within a VLAN (i.e., traffic between PCs, DNS server, and DHCP sever in your example).  The reason for this is that such traffic will never traverse the router as it remains on the local subnet (never gets sent to the default gateway because a local device responds to the ARP request).

That said, assuming your PC VLAN is 10, server1 VLAN is 100, and server2 VLAN is 200, the attached code accomplishes what you are after.

Note that this accomplishes *exactly* what you specified.  Hosts 192.168.1.1-5 may access 10.10.10.10 and anything else on the 192.168.1.0 network, but nothing else, not the Internet, not server2, not anything else within your network.  And everything else on the 192.168.1.0 network except .1-.5 (assuming that segment to be a /24), has full access to the world.

If this is not the desired behavior, you could add some specificity, and we can modify the ACL accordingly.

HTH

kr
ip access-list extended VLAN10_IN
 permit ip host 192.168.1.1 host 10.10.10.10
 permit ip 192.168.1.2 0.0.0.1 host 10.10.10.10
 permit ip 192.168.1.4 0.0.0.1 host 10.10.10.10
 permit ip 192.168.1.0 0.0.0.255 any
 
interface vlan10
 ip access-group 10 in

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20332604
oops, line 8 should have been:

ip access-group VLAN10_IN in
0
 
LVL 1

Author Comment

by:workcover
ID: 20336167
thanks very much for your help. I may have not been specific, but there was no gateway involved in this scenario. I just wanted the switch to perform the ACL function...
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 1

Author Comment

by:workcover
ID: 20336174
Will I need to have a L3 switch?
0
 
LVL 1

Author Comment

by:workcover
ID: 20336216
Sorry for the multiple responses, but i would like to clarify this a little more. the group of PC's will need to access 3 servers and be blocked from one specifically.  

PC's 192.168.30.1-5  255.255.255.0

access to:
ADC1 - 192.168.1.1 - DHCP,DNS
ADC2 - 192.168.1.10 - DHCP, DNS
SVR1 - 192.168.1.100 - MAPPED DRIVE

DENY
SVR2 - 192.168.1.200 - NO ACCESS

thanks again.

0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20339693
Only way to do this is at layer-three.  A layer-two switch will not even examine the IP header when forwarding frames.  Even if it could, you wouldnt want to, as it would degrade performance on the switch.  

Really the only way to do this in the network is to put SVR2 on a different VLAN and control access with an ACL on the router/switch that routes between the two VLANs.  Butf rom the sound of things, that is going to cost you money.  The other option is put some sort of software firewall that will filter by IP address on SVR2 and control access that way.  Problem with that is it adds extra load to SVR2's proc.

Sorry this is not the answer you wanted.

HTH

kr
0
 
LVL 1

Author Comment

by:workcover
ID: 20347293
can i not deny access specifically to 192.168.1.200 after placing an access list on the switch? I can change the PC to a different network if required like 10.10.10.1?? No easy answer?
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20348251
The problem is that a layer-two switch is not going to inspect layer-three protocol headers, and therefore cannot filter traffic on that criteria.  The only way to do filter by layer-three protocol header is with a device at layer-three (router or layer-three switch) that lies *between* the two devices -- in this case a router would need to be between the PCs and SVR2.

As I am l looking at your post with the address detail, it looks like I you are stating the PCs are in fact on a different layer-three network than SVR2 (192.168.30.0/24 instead of 192.168.1.0/24 as you originally indicated).  Is that the case?

If indeed SVR2 is on a different network than the PCs, you must have some sort of router/layer-three device routing between 192.168.1.0/24 and 192.168.30.0/24.  If that is truly the case, then filtering by IP address should be no problem.  Just modify the code above and you are good to go.  If you want to verify the addresses of all devices and the physical topology and post them, I can give you a more exact config.

If on the other hand, the devices are all on the same network, you cannot filter by IP address.  I suppose you could determine the MAC addresses of the PCs and try a layer-two ACL on the switchport that connects to SVR2, but that would be kind of nasty, and it wouldnt filter out broadcast traffic sourced by the SVR2 (i.e., the PCs would still see bcast/mcast traffic from SVR2).
0
 
LVL 1

Author Comment

by:workcover
ID: 20348295
Thanks for the reply, The only part of the network that does not exist are the 5 PC's. Currently there is a full blown network in place with router, cat 6000's ect running a whole collection of vlans. I want to add these 5 pc's on whatever network and block them from SVR2, while accessing the other 3 freely.

As these PC's will have very little use,  my topology will have a switch (Layer 3 I guess) running from one of the Cat6K's gig up link.
0
 
LVL 4

Accepted Solution

by:
CCIE8122 earned 100 total points
ID: 20353729
yeah, so i would trunk from the 3500 to the 6k, leave the 3500 as a layer-two switch only, create the layer-three PC VLAN on the 6k, and ACL that VLAN as necessary (sample config below).  Then you just assign the PCs to the VLAN (in my example, VLAN 30) on any switch, and they will be denied access to 192.168.1.200, but allowed to everything else.

HTH

kr♦
vlan 30 name PC_LAN
 
ip access-list extended VLAN30_IN
 deny ip host 192.168.30.1 host 192.168.1.200
 deny ip 192.168.30.2 0.0.0.1 host 192.168.1.200
 deny ip 192.168.30.4 0.0.0.1 host 192.168.1.200
 deny ip 192.168.30.0 0.0.0.255 any
 permit ip any any
 
interface vlan30
 ip access-group VLAN30_IN in

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20353736
note, it is probably obvious, but just in case . . . that config sample would be on the 6k
0
 
LVL 1

Author Closing Comment

by:workcover
ID: 31410514
I have not implemented this, however this is a good base to start from.
0
 
LVL 1

Author Comment

by:workcover
ID: 20353867
thanks very much I will keep you posted.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 17 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question