workcover
asked on
Please help with access-list on a 3500 series cat?
Hello Experts,
I would really like some advice on how to create an access list that will provide the following:
Provide DNS and DHCP from one subnet to 5 boxes on their own vlan
pc's have Full access to one server eg "server 1"
PC are denied access to another specific "server 2", and everything else.
For example purposes I will use ip addresses 10.10.10.10 for "server 1", and 10.100 for "server 2"
the PC's will have 192.168.1.1 through 5 for ip's. The DHCP and DNS server will be 192.168.1.100.
I have been reading some of the other entries in this forum, but I could benefit from some specific advice.
thanks
In advance
Ben
I would really like some advice on how to create an access list that will provide the following:
Provide DNS and DHCP from one subnet to 5 boxes on their own vlan
pc's have Full access to one server eg "server 1"
PC are denied access to another specific "server 2", and everything else.
For example purposes I will use ip addresses 10.10.10.10 for "server 1", and 10.100 for "server 2"
the PC's will have 192.168.1.1 through 5 for ip's. The DHCP and DNS server will be 192.168.1.100.
I have been reading some of the other entries in this forum, but I could benefit from some specific advice.
thanks
In advance
Ben
oops, line 8 should have been:
ip access-group VLAN10_IN in
ip access-group VLAN10_IN in
ASKER
thanks very much for your help. I may have not been specific, but there was no gateway involved in this scenario. I just wanted the switch to perform the ACL function...
ASKER
Will I need to have a L3 switch?
ASKER
Sorry for the multiple responses, but i would like to clarify this a little more. the group of PC's will need to access 3 servers and be blocked from one specifically.
PC's 192.168.30.1-5 255.255.255.0
access to:
ADC1 - 192.168.1.1 - DHCP,DNS
ADC2 - 192.168.1.10 - DHCP, DNS
SVR1 - 192.168.1.100 - MAPPED DRIVE
DENY
SVR2 - 192.168.1.200 - NO ACCESS
thanks again.
PC's 192.168.30.1-5 255.255.255.0
access to:
ADC1 - 192.168.1.1 - DHCP,DNS
ADC2 - 192.168.1.10 - DHCP, DNS
SVR1 - 192.168.1.100 - MAPPED DRIVE
DENY
SVR2 - 192.168.1.200 - NO ACCESS
thanks again.
Only way to do this is at layer-three. A layer-two switch will not even examine the IP header when forwarding frames. Even if it could, you wouldnt want to, as it would degrade performance on the switch.
Really the only way to do this in the network is to put SVR2 on a different VLAN and control access with an ACL on the router/switch that routes between the two VLANs. Butf rom the sound of things, that is going to cost you money. The other option is put some sort of software firewall that will filter by IP address on SVR2 and control access that way. Problem with that is it adds extra load to SVR2's proc.
Sorry this is not the answer you wanted.
HTH
kr
Really the only way to do this in the network is to put SVR2 on a different VLAN and control access with an ACL on the router/switch that routes between the two VLANs. Butf rom the sound of things, that is going to cost you money. The other option is put some sort of software firewall that will filter by IP address on SVR2 and control access that way. Problem with that is it adds extra load to SVR2's proc.
Sorry this is not the answer you wanted.
HTH
kr
ASKER
can i not deny access specifically to 192.168.1.200 after placing an access list on the switch? I can change the PC to a different network if required like 10.10.10.1?? No easy answer?
The problem is that a layer-two switch is not going to inspect layer-three protocol headers, and therefore cannot filter traffic on that criteria. The only way to do filter by layer-three protocol header is with a device at layer-three (router or layer-three switch) that lies *between* the two devices -- in this case a router would need to be between the PCs and SVR2.
As I am l looking at your post with the address detail, it looks like I you are stating the PCs are in fact on a different layer-three network than SVR2 (192.168.30.0/24 instead of 192.168.1.0/24 as you originally indicated). Is that the case?
If indeed SVR2 is on a different network than the PCs, you must have some sort of router/layer-three device routing between 192.168.1.0/24 and 192.168.30.0/24. If that is truly the case, then filtering by IP address should be no problem. Just modify the code above and you are good to go. If you want to verify the addresses of all devices and the physical topology and post them, I can give you a more exact config.
If on the other hand, the devices are all on the same network, you cannot filter by IP address. I suppose you could determine the MAC addresses of the PCs and try a layer-two ACL on the switchport that connects to SVR2, but that would be kind of nasty, and it wouldnt filter out broadcast traffic sourced by the SVR2 (i.e., the PCs would still see bcast/mcast traffic from SVR2).
As I am l looking at your post with the address detail, it looks like I you are stating the PCs are in fact on a different layer-three network than SVR2 (192.168.30.0/24 instead of 192.168.1.0/24 as you originally indicated). Is that the case?
If indeed SVR2 is on a different network than the PCs, you must have some sort of router/layer-three device routing between 192.168.1.0/24 and 192.168.30.0/24. If that is truly the case, then filtering by IP address should be no problem. Just modify the code above and you are good to go. If you want to verify the addresses of all devices and the physical topology and post them, I can give you a more exact config.
If on the other hand, the devices are all on the same network, you cannot filter by IP address. I suppose you could determine the MAC addresses of the PCs and try a layer-two ACL on the switchport that connects to SVR2, but that would be kind of nasty, and it wouldnt filter out broadcast traffic sourced by the SVR2 (i.e., the PCs would still see bcast/mcast traffic from SVR2).
ASKER
Thanks for the reply, The only part of the network that does not exist are the 5 PC's. Currently there is a full blown network in place with router, cat 6000's ect running a whole collection of vlans. I want to add these 5 pc's on whatever network and block them from SVR2, while accessing the other 3 freely.
As these PC's will have very little use, my topology will have a switch (Layer 3 I guess) running from one of the Cat6K's gig up link.
As these PC's will have very little use, my topology will have a switch (Layer 3 I guess) running from one of the Cat6K's gig up link.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
note, it is probably obvious, but just in case . . . that config sample would be on the 6k
ASKER
I have not implemented this, however this is a good base to start from.
ASKER
thanks very much I will keep you posted.
That said, assuming your PC VLAN is 10, server1 VLAN is 100, and server2 VLAN is 200, the attached code accomplishes what you are after.
Note that this accomplishes *exactly* what you specified. Hosts 192.168.1.1-5 may access 10.10.10.10 and anything else on the 192.168.1.0 network, but nothing else, not the Internet, not server2, not anything else within your network. And everything else on the 192.168.1.0 network except .1-.5 (assuming that segment to be a /24), has full access to the world.
If this is not the desired behavior, you could add some specificity, and we can modify the ACL accordingly.
HTH
kr
Open in new window