Cisco switch ACL 4500 series switch

Hi,

Trying to setup restricted VLAN on Cisco 4500

I have create VLAN64
current config for it:

interface Vlan64
 description Virtual LAN for Restricted VLAN64
 ip address 192.168.64.254 255.255.255.0
 ip access-group 150 out
 ip helper-address 192.168.50.98
!
access-list 150 remark
access-list 150 remark ACCESS FROM VLAN64
access-list 150 permit icmp any any
access-list 150 permit udp any eq domain any
access-list 150 permit tcp any eq domain any
access-list 150 permit tcp any eq www any
access-list 150 permit tcp any eq 443 any
access-list 150 permit tcp host 192.168.50.91 eq 445 any
access-list 150 permit tcp any eq smtp any
access-list 150 permit tcp any eq ftp any
access-list 150 permit tcp 192.168.50.0 0.0.0.255 eq 135 any
access-list 150 permit tcp 192.168.50.0 0.0.0.255 eq 3269 any
access-list 150 remark
access-list 150 remark ACCESS INTO VLAN64
access-list 150 permit tcp any any eq 445
access-list 150 remark
access-list 150 remark ACCESS INTO VLAN64
access-list 150 permit tcp any any eq 445
access-list 150 permit tcp any any eq 3389
access-list 150 deny   ip any any
!
!

Basically opening some ports from VLAN64 and opening some ports into VLAN64 from other networks.

Works fine, but this is not easy way to manage this type of setup.

Would like to create some Groups for some computers, lets say Domain Controllers
and add several IP addresses to that Pool,

Is it possible on Cisco Switch to create Pools and apply ACLs to Pools?

access-list 150 permit tcp DomainControllersPool eq 135 any

Or something like that?

itmtiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
you can use wildcard masking to match ranges of ip.

For example access-list 150 permit tcp 192.168.50.0 0.0.0.7 eq 135 any will match a range of ip from 1 to 7.
here is an handy calculator
http://www.subnet-calculator.com/wildcard.php
0
itmtiAuthor Commented:
Not good, since all IPs are not going to be in order.

For example on Cisco ASA is pretty easy to config it:

object-group network FILESERVERS
 network-object host 192.168.1.5
 network-object host 192.168.10.10
 network-object host 192.168.1.20
 network-object host 192.168.1.22
access-list Inside_access_in_1 extended permit tcp host 192.168.50.79 object-group FILESERVERS eq 445

Something similar?
0
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
unfortunately there isn't a similiar way of configuring acl on the ios used on catalyst switches. it may be there is a conflict of interest between the switching department with the firewall department, both want to sell!!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itmtiAuthor Commented:
same answer i got from Cisco

I checked the config guide on this and it does not show this functionality in the switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/secure.html#wp1081785

However, in rare cases the config guide will not show a function on the switch. To make sure I checked it in the lab and the command line does not exist to do this.  Based on that it looks like that function does not exist on the switch. Let me know if I can be of further assistance.
0
itmtiAuthor Commented:
Thanks for suggestions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.