Solved

Applying and extended Cisco ACL to Fastethernet port on a 3750

Posted on 2011-03-04
13
987 Views
Last Modified: 2012-05-11
I have not worked much with extended ACL's so I'm confused about something. When I apply my extended ACL to a workstation access port on the 3750 it looks like this:

ip access-group <extended access group name> in

There is no "out" option in the setup. I don't understand why there is a directional option at all but I can't apply the extended access group unless I choose "in".

Obviously I'm missing something. Will the "in" option prevent traffic from traveling freely in both directions ???
0
Comment
Question by:Hegnerdc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 

Expert Comment

by:Bardlebee
ID: 35040300
It would, eventually. If you prevent certain packets from coming in then servers on the outside won't be able to send you replies, thus not making a connnection.

I can't answer your question as to why there is no "out" function, as I truly do not know. Either way however they shouldn't be able to transfer data.

I assume this is on your outside facing port to the internet? So if you wanted to block, say, FTP traffic you would do something like this:

ip access-list extended BLOCK_FTP
    deny tcp <the outside servers IP> <outside servers wildcard mask> <inside network/IP> <inside network wildmask> 21

0
 

Expert Comment

by:Bardlebee
ID: 35040313
What interface is this on? I just tried this on a 1811 router and it worked fine, the "out" option was present. However I tried it on an interface that did not have ip nat outside and it didn't even have the access-group option.

I am not sure if this is the reason or not.
0
 

Author Comment

by:Hegnerdc
ID: 35040375
It is on a standard access port that would normally be used for a workstation. The port will eventually connect to a time clock that must be segregated from the rest of the network. I can connect to the port with a laptop and ping the VLAN successfully so it appears ip is flowing in both directions. Hmmmmm !!
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Expert Comment

by:Bardlebee
ID: 35040426
So, your setup is basically a router on a stick then? You have multiple VLAN's and you are trying to block the data flow at what level? The router or the switch?

Are you routing using trunking to the router? Can you use access-group commands on that interface that the connection comes in at?

Access ports that go to a switch aren't going to be able to use access-list for IP since they are a layer two device. Again, I am a CCNA so I don't have wizards knowledge, but I am sure you can't use access-group on an access-port and you need to use the access-list at the router where the VLAN is being routed through.

It would look something like this if you are trying to block a specific service to a specific PC.

access-list 101 <user IP Address> <User wildmask> <timeclock IP> <Timeclock wildmask> <Port number>

You may not need the port number if you want to block that PC from the entire time clock server...
0
 

Expert Comment

by:Bardlebee
ID: 35040431
Unless of course your using a Layer 3 switch, then I have no clue. :)
0
 

Expert Comment

by:Bardlebee
ID: 35040447
Ugh, I am a fool this is a layer 3 switch.... this may be outside the purview of my knowledge.... heh.
0
 

Expert Comment

by:Bardlebee
ID: 35040456
Sorry to spam this, but I found a question that is close to yours here:

https://supportforums.cisco.com/thread/32029

BAM!
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 35041289
3750's support PACL's (Port ACLs). Which means an access-list can be applied to a layer-2 interface. But can only be applied inbound.

Details here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1285529

0
 

Author Comment

by:Hegnerdc
ID: 35055985
Excellent to know this. From reading the URL I gather that the ACL has no effect on Outbound packets at layer 2 it only filters inbound packets. Am I reading this right ???
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35056076
Yep.
0
 

Author Comment

by:Hegnerdc
ID: 35056968
Thanks everybody for your help.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35349184
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question