Please help with access-list on a 3500 series cat?

Hello Experts,

I would really like some advice on how to create an access list that will provide the following:

Provide DNS and DHCP from one subnet  to 5 boxes on their own vlan
pc's have Full access to one server eg "server 1"
PC are denied access to another specific "server 2", and everything else.

For example purposes I will use ip addresses 10.10.10.10 for "server 1", and 10.100 for "server 2"
the PC's will have 192.168.1.1 through 5 for ip's. The DHCP and DNS server will be 192.168.1.100.

I have been reading some of the other entries in this forum, but I could benefit from some specific advice.

thanks
In advance
Ben

LVL 1
workcoverAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
CCIE8122Connect With a Mentor Commented:
yeah, so i would trunk from the 3500 to the 6k, leave the 3500 as a layer-two switch only, create the layer-three PC VLAN on the 6k, and ACL that VLAN as necessary (sample config below).  Then you just assign the PCs to the VLAN (in my example, VLAN 30) on any switch, and they will be denied access to 192.168.1.200, but allowed to everything else.

HTH

kr♦
vlan 30 name PC_LAN
 
ip access-list extended VLAN30_IN
 deny ip host 192.168.30.1 host 192.168.1.200
 deny ip 192.168.30.2 0.0.0.1 host 192.168.1.200
 deny ip 192.168.30.4 0.0.0.1 host 192.168.1.200
 deny ip 192.168.30.0 0.0.0.255 any
 permit ip any any
 
interface vlan30
 ip access-group VLAN30_IN in

Open in new window

0
 
CCIE8122Commented:
First no access list will have any effect on traffic the remains within a VLAN (i.e., traffic between PCs, DNS server, and DHCP sever in your example).  The reason for this is that such traffic will never traverse the router as it remains on the local subnet (never gets sent to the default gateway because a local device responds to the ARP request).

That said, assuming your PC VLAN is 10, server1 VLAN is 100, and server2 VLAN is 200, the attached code accomplishes what you are after.

Note that this accomplishes *exactly* what you specified.  Hosts 192.168.1.1-5 may access 10.10.10.10 and anything else on the 192.168.1.0 network, but nothing else, not the Internet, not server2, not anything else within your network.  And everything else on the 192.168.1.0 network except .1-.5 (assuming that segment to be a /24), has full access to the world.

If this is not the desired behavior, you could add some specificity, and we can modify the ACL accordingly.

HTH

kr
ip access-list extended VLAN10_IN
 permit ip host 192.168.1.1 host 10.10.10.10
 permit ip 192.168.1.2 0.0.0.1 host 10.10.10.10
 permit ip 192.168.1.4 0.0.0.1 host 10.10.10.10
 permit ip 192.168.1.0 0.0.0.255 any
 
interface vlan10
 ip access-group 10 in

Open in new window

0
 
CCIE8122Commented:
oops, line 8 should have been:

ip access-group VLAN10_IN in
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
workcoverAuthor Commented:
thanks very much for your help. I may have not been specific, but there was no gateway involved in this scenario. I just wanted the switch to perform the ACL function...
0
 
workcoverAuthor Commented:
Will I need to have a L3 switch?
0
 
workcoverAuthor Commented:
Sorry for the multiple responses, but i would like to clarify this a little more. the group of PC's will need to access 3 servers and be blocked from one specifically.  

PC's 192.168.30.1-5  255.255.255.0

access to:
ADC1 - 192.168.1.1 - DHCP,DNS
ADC2 - 192.168.1.10 - DHCP, DNS
SVR1 - 192.168.1.100 - MAPPED DRIVE

DENY
SVR2 - 192.168.1.200 - NO ACCESS

thanks again.

0
 
CCIE8122Commented:
Only way to do this is at layer-three.  A layer-two switch will not even examine the IP header when forwarding frames.  Even if it could, you wouldnt want to, as it would degrade performance on the switch.  

Really the only way to do this in the network is to put SVR2 on a different VLAN and control access with an ACL on the router/switch that routes between the two VLANs.  Butf rom the sound of things, that is going to cost you money.  The other option is put some sort of software firewall that will filter by IP address on SVR2 and control access that way.  Problem with that is it adds extra load to SVR2's proc.

Sorry this is not the answer you wanted.

HTH

kr
0
 
workcoverAuthor Commented:
can i not deny access specifically to 192.168.1.200 after placing an access list on the switch? I can change the PC to a different network if required like 10.10.10.1?? No easy answer?
0
 
CCIE8122Commented:
The problem is that a layer-two switch is not going to inspect layer-three protocol headers, and therefore cannot filter traffic on that criteria.  The only way to do filter by layer-three protocol header is with a device at layer-three (router or layer-three switch) that lies *between* the two devices -- in this case a router would need to be between the PCs and SVR2.

As I am l looking at your post with the address detail, it looks like I you are stating the PCs are in fact on a different layer-three network than SVR2 (192.168.30.0/24 instead of 192.168.1.0/24 as you originally indicated).  Is that the case?

If indeed SVR2 is on a different network than the PCs, you must have some sort of router/layer-three device routing between 192.168.1.0/24 and 192.168.30.0/24.  If that is truly the case, then filtering by IP address should be no problem.  Just modify the code above and you are good to go.  If you want to verify the addresses of all devices and the physical topology and post them, I can give you a more exact config.

If on the other hand, the devices are all on the same network, you cannot filter by IP address.  I suppose you could determine the MAC addresses of the PCs and try a layer-two ACL on the switchport that connects to SVR2, but that would be kind of nasty, and it wouldnt filter out broadcast traffic sourced by the SVR2 (i.e., the PCs would still see bcast/mcast traffic from SVR2).
0
 
workcoverAuthor Commented:
Thanks for the reply, The only part of the network that does not exist are the 5 PC's. Currently there is a full blown network in place with router, cat 6000's ect running a whole collection of vlans. I want to add these 5 pc's on whatever network and block them from SVR2, while accessing the other 3 freely.

As these PC's will have very little use,  my topology will have a switch (Layer 3 I guess) running from one of the Cat6K's gig up link.
0
 
CCIE8122Commented:
note, it is probably obvious, but just in case . . . that config sample would be on the 6k
0
 
workcoverAuthor Commented:
I have not implemented this, however this is a good base to start from.
0
 
workcoverAuthor Commented:
thanks very much I will keep you posted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.