Basic Cisco port Deny ACL question

Posted on 2009-02-20
Medium Priority
Last Modified: 2012-08-14
We have configured a layer 2 vlan on our cisco catalyst switch. We assigned two ports to it. This is a poor man's dumb switch. Basically we want to make sure that no traffic can come into or out of those two ports except themselves. So portA can talk to portB and vice versa, but we don't want any other ports talking to them.

How should I set this up?
Question by:GCIT_Manager

Accepted Solution

Cobra25 earned 800 total points
ID: 23697674
I'm not really sure If I understand you correctly. What you can do is to apply MAC-address filter using Access-list (ACL). The ACL for MAC filter will be in the range between 700-799. For example, access-list 700 permit aaaa.bbbb.cccc 0000.0000.0000. Then apply the access-list for the incoming port which will only allow the MAC that you specify in the ACL, others should be blocked. As a result, only MAC from PortA can talk to PortB. Good luck with the setup :)

Author Comment

ID: 23697711
I don't know the mac address. I do know it's IP address though. and we need to be able to change devices quickly so I'd rather not use mac address. Any other way?

basically the IPs are and


Expert Comment

ID: 23697814
Switching uses MAC-addresses (layer 2) and not IP addresses.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 23697933
we have layer 3 switches. we just happened to put these ports in layer 2 vlans. does this still apply to the mac address issue? I have created ACLs with IP addresses, I'm not doing it in a way that allows the traffic to flow properly.

I could put it on a layer 3 vlan, but i don't see the need.

Expert Comment

ID: 23699530
If you configured only two ports in a vlan, it is enough. Any other port in other vlan will not be able to "talk" with these two ports. You don't need any acls.
You can think at this vlan as a separate switch with only two ports.

Expert Comment

ID: 23699836
Depending on what switches you have you can use VLAN ACL (VACL) to filter IP traffic on a VLAN.


Assisted Solution

CCI_IT earned 200 total points
ID: 23702263
like ionut said, there is nothing mroe to it.

as long as you dont apply an IP to the int vlan for that particular Vlan, it wont be routable. no ACL's needed.

Author Comment

ID: 23702280

that's the confirmation I needed. We didn't apply an IP. I have heard that whitehats (hired hackers) can jump VLANs on a switch.

thanks everyone!

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question