ACLs for switches

Posted on 2009-07-11
Medium Priority
Last Modified: 2012-05-07
CISCO 3750 12.2(25) SEE2
Cisco 2950  12.1.(22) EA2

We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions.

I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them  to specific ports  and allow them access only to an specific host on port 80 and 443.

If it makes any difference I will throw these 2 scenarios in:

1- destination host and guest users connected physically to ports in the same switch

2- destination host  and guest users connected in different switches uplinked  with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?

Is this possible, please provide an example of how it would like in the configuration

Thanks for your help

Question by:JohnRamz
  • 3
  • 3
LVL 50

Expert Comment

by:Don Johnston
ID: 24830760
Will the source and destination devices be on the same VLAN?

If not, then a routed ACL will be what you need.

If they are on the same VLAN, you will need to use a VLAN ACL (VACL).


Author Comment

ID: 24830816

They are on the same VLAN (native VLAN 1). How do I do it? Would you provide sort of a template?


LVL 50

Accepted Solution

Don Johnston earned 2000 total points
ID: 24832216
The following VACL will allow devices to access the server at for web, smtp and pop3. Those 15 devices can also ping everything. No other traffic from those devices is permitted.

However, all traffic from other addresses is permitted.

ip access-list extended guest-allowed
 permit tcp host eq 80
 permit tcp host eq 25
 permit tcp host eq 110
 permit icmp any
ip access-list extended guest-denied
 permit ip any
vlan access-map outsiders 10
 match ip address guest-allowed
 action forward
vlan access-map outsiders 20
 match ip address guest-denied
 action drop
vlan access-map outsiders 30
 action permit
vlan filter outsiders vlan-list 99

Open in new window

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


Author Comment

ID: 24835824

Thanks for your reply.very insightful

 I am thinking that creating a separate VLAN would work better for this and I would not have to assign them IP addresses manually. I already have a a separate VLAN with a DHCP server that hands out IP addresses on that subnet.  I know very little about ACLs, so I appreciate if you post another config with the scenario I just suggested, You mentioned in your first post routed ACLs, those might come into play here I guess.

Also would this work on the 3750?


LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 2000 total points
ID: 24836119
Yes. If the devices are on different VLAN's, you would create traditional ACLs and apply them to the VLAN interface.

And yes, you can do this on a 3750.

Author Comment

ID: 24853204

I was waiting for you config template for the last scenario but I got to it and solved the issue doing it this way:

! Created a VLAn

interface Vlan700
ip address

! Created the access list to allow them access to a host and the Internet

ip access-list extended GUEST_ACCESS
permit tcp host eq www
permit udp any eq 53
deny ip
permit tcp any eq 443
permit tcp any eq 80

!Applied it to the VLAN 700 interface

ip access-group GUEST_ACCESS in

Thanks for your guidance anyway

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question