Cisco Switch Network Security ACL 4500

Trying to configure some ACLs on Cisco CAT4510R.

Basically we trying to control Access Between the VLANs using ACLs and here is the config so far for new VLAN


!
interface Vlan64
 description Virtual LAN for Restricted VLAN64
 ip address 192.168.64.254 255.255.255.0
 ip access-group 150 in
 ip access-group 151 out
 ip helper-address 192.168.50.98
!
access-list 150 permit ip any any
access-list 151 permit tcp any any eq www
access-list 151 permit udp any any eq domain
access-list 151 permit tcp any any eq domain
access-list 151 deny   ip any any


But I think i am missing something, because once i enter last line access-list 151 deny it denies it all then, even the ports specified above.

Any suggestions or recommendations how to use ACLs on Cisco Switch?
itmtiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
What, specifically, are you trying to accomplish? It looks like you want any address to be able to access a web server and DNS server located on (or beyond) the 192.168.64.0/24 network.

ACL 150 is doing nothing and the "151 deny ip any any" is also doing nothing.

Please elaborate on your goals.
0
itmtiAuthor Commented:
i would like to allow network 192.168.64.0/24 for DNS and WWW out to any.
And anything (any, any) from other networks allow in to 192.168.64.0/24.

Basically 192.168.64.0/24 would be restricted VLAN that would have only www and dns out to anywhere.


Thanks
0
Jan SpringerCommented:
access-list 150 permit ip any any
access-list 151 permit tcp any any established
access-list 151 permit udp any eq domain any
access-list 151 permit tcp any eq domain any
access-list 151 permit tcp any any eq www
access-list 151 permit udp any any eq domain
access-list 151 permit tcp any any eq domain
access-list 151 deny   ip any any
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

itmtiAuthor Commented:
Awesome this worked perfectly!!!

Thank you!
0
itmtiAuthor Commented:
could you tell me how to insert access-list into a switch using line number?

WOB-CISCO-SWITCH(config)#access-list 151 permit line 2 ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list line ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list 151 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

WOB-CISCO-SWITCH(config)#access-list 151 line ?
% Unrecognized command
WOB-CISCO-SWITCH(config)#access-list 151 line
0
Jan SpringerCommented:
ip access-list extended 151
   5 permit tcp any any established
 15 permit udp any eq domain any
 25 permit tcp any eq domain any
 35 permit tcp any any eq www
 45 permit udp any any eq domain
 55 permit tcp any any eq domain
 65 deny   ip any any

Then to add:

ip access-list extended 151
 50 permit tcp host x.x.x.x any eq port

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.