ACL on PORT - Cisco 3560g

Hi,

We have an access point on a 3560g switch that uses the same vlan as the rest of the network.  We are having some problems with bandwidth sharing and want to make sure that any user who is using this access point is NOT using it for internet access.

We thought of an ACL, but I don't know if an ACL can be applied to just a port, and not the entire VLAN.  If so, can someone provide the documentation or commands to do this.

Thanks,

S.....
svillardiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QuoriCommented:
SWITCH(config)#ip access-list extended DENY_INTERNET
SWITCH(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
SWITCH(config-ext-nacl)#deny ip any any log
SWITCH(config-ext-nacl)#ex
SWITCH(config)#int gi0/XX
SWITCH(config-if)#ip access-group DENY_INTERNET in
SWITCH(config-if)#
0
mikebernhardtCommented:
The access list above won't work if the 3560G port is set to switchport and is sharing the same vlan. However, you can do it the other way around: On the AP itself, add your access list:

ip access-list 100 permit ip any 10.0.0.0 0.0.0.255 [your local IPs, repeat for whatever networks you need to allow users to access from wireless]
ip access-list 100 deny ip any any

interface g0/0 [or whatever the ethernet interface is]
 ip access-group 100 out

this will cause the AP to drop anything that's destined for local nets before the switch ever sees it.
0
svillardiAuthor Commented:
I will try this tomorrow.  This is not set up with lwapp, but I can access the web config.  Do I have to do this with CLI, or is there somewhere in the GUI?
0
mikebernhardtCommented:
What I provided is via CLI, but you should be able to do it via the web interface- there should be a place to paste it in. the full process via CLI would be (assuming enable mode already):
config t
access-list 100 permit ip any 10.0.0.0 0.0.0.255
access-list 100 permit ip any 192.168.90.0 0.255.255.255
access-list 100 deny ip any any
interface g0/0
 ip access-group 100 out
end
copy runn start
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.