JohnRamz
asked on
ACLs for switches
CISCO 3750 12.2(25) SEE2
Cisco 2950 12.1.(22) EA2
We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions.
I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them to specific ports and allow them access only to an specific host on port 80 and 443.
If it makes any difference I will throw these 2 scenarios in:
1- destination host and guest users connected physically to ports in the same switch
2- destination host and guest users connected in different switches uplinked with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?
Is this possible, please provide an example of how it would like in the configuration
Thanks for your help
JAR
Cisco 2950 12.1.(22) EA2
We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions.
I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them to specific ports and allow them access only to an specific host on port 80 and 443.
If it makes any difference I will throw these 2 scenarios in:
1- destination host and guest users connected physically to ports in the same switch
2- destination host and guest users connected in different switches uplinked with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?
Is this possible, please provide an example of how it would like in the configuration
Thanks for your help
JAR
ASKER
donjohnston
They are on the same VLAN (native VLAN 1). How do I do it? Would you provide sort of a template?
Thanks
They are on the same VLAN (native VLAN 1). How do I do it? Would you provide sort of a template?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
donjohnston
Thanks for your reply.very insightful
I am thinking that creating a separate VLAN would work better for this and I would not have to assign them IP addresses manually. I already have a a separate VLAN with a DHCP server that hands out IP addresses on that subnet. I know very little about ACLs, so I appreciate if you post another config with the scenario I just suggested, You mentioned in your first post routed ACLs, those might come into play here I guess.
Also would this work on the 3750?
Thanks
Thanks for your reply.very insightful
I am thinking that creating a separate VLAN would work better for this and I would not have to assign them IP addresses manually. I already have a a separate VLAN with a DHCP server that hands out IP addresses on that subnet. I know very little about ACLs, so I appreciate if you post another config with the scenario I just suggested, You mentioned in your first post routed ACLs, those might come into play here I guess.
Also would this work on the 3750?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
donjohnston:
I was waiting for you config template for the last scenario but I got to it and solved the issue doing it this way:
! Created a VLAn
interface Vlan700
ip address 192.168.1.254 255.255.255.0
! Created the access list to allow them access to a host and the Internet
ip access-list extended GUEST_ACCESS
permit tcp 192.168.1.0 0.0.0.255 host 10.10.6.1 eq www
permit udp 192.168.5.0 0.0.0.255 any eq 53
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit tcp 192.168.1.0 0.0.0.255 any eq 443
permit tcp 192.168.1.0 0.0.0.255 any eq 80
!Applied it to the VLAN 700 interface
ip access-group GUEST_ACCESS in
Thanks for your guidance anyway
I was waiting for you config template for the last scenario but I got to it and solved the issue doing it this way:
! Created a VLAn
interface Vlan700
ip address 192.168.1.254 255.255.255.0
! Created the access list to allow them access to a host and the Internet
ip access-list extended GUEST_ACCESS
permit tcp 192.168.1.0 0.0.0.255 host 10.10.6.1 eq www
permit udp 192.168.5.0 0.0.0.255 any eq 53
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit tcp 192.168.1.0 0.0.0.255 any eq 443
permit tcp 192.168.1.0 0.0.0.255 any eq 80
!Applied it to the VLAN 700 interface
ip access-group GUEST_ACCESS in
Thanks for your guidance anyway
If not, then a routed ACL will be what you need.
If they are on the same VLAN, you will need to use a VLAN ACL (VACL).