?
Solved

Cisco Switch Network Security ACL 4500

Posted on 2010-04-06
6
Medium Priority
?
793 Views
Last Modified: 2012-05-09
Trying to configure some ACLs on Cisco CAT4510R.

Basically we trying to control Access Between the VLANs using ACLs and here is the config so far for new VLAN


!
interface Vlan64
 description Virtual LAN for Restricted VLAN64
 ip address 192.168.64.254 255.255.255.0
 ip access-group 150 in
 ip access-group 151 out
 ip helper-address 192.168.50.98
!
access-list 150 permit ip any any
access-list 151 permit tcp any any eq www
access-list 151 permit udp any any eq domain
access-list 151 permit tcp any any eq domain
access-list 151 deny   ip any any


But I think i am missing something, because once i enter last line access-list 151 deny it denies it all then, even the ports specified above.

Any suggestions or recommendations how to use ACLs on Cisco Switch?
0
Comment
Question by:itmti
  • 3
  • 2
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 29963386
What, specifically, are you trying to accomplish? It looks like you want any address to be able to access a web server and DNS server located on (or beyond) the 192.168.64.0/24 network.

ACL 150 is doing nothing and the "151 deny ip any any" is also doing nothing.

Please elaborate on your goals.
0
 

Author Comment

by:itmti
ID: 29967104
i would like to allow network 192.168.64.0/24 for DNS and WWW out to any.
And anything (any, any) from other networks allow in to 192.168.64.0/24.

Basically 192.168.64.0/24 would be restricted VLAN that would have only www and dns out to anywhere.


Thanks
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 30013385
access-list 150 permit ip any any
access-list 151 permit tcp any any established
access-list 151 permit udp any eq domain any
access-list 151 permit tcp any eq domain any
access-list 151 permit tcp any any eq www
access-list 151 permit udp any any eq domain
access-list 151 permit tcp any any eq domain
access-list 151 deny   ip any any
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 

Author Closing Comment

by:itmti
ID: 31711578
Awesome this worked perfectly!!!

Thank you!
0
 

Author Comment

by:itmti
ID: 30019368
could you tell me how to insert access-list into a switch using line number?

WOB-CISCO-SWITCH(config)#access-list 151 permit line 2 ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list line ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list 151 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

WOB-CISCO-SWITCH(config)#access-list 151 line ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list 151 line
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30020799
ip access-list extended 151
   5 permit tcp any any established
 15 permit udp any eq domain any
 25 permit tcp any eq domain any
 35 permit tcp any any eq www
 45 permit udp any any eq domain
 55 permit tcp any any eq domain
 65 deny   ip any any

Then to add:

ip access-list extended 151
 50 permit tcp host x.x.x.x any eq port

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
 
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question