Solved

Port ACL

Posted on 2011-03-23
16
618 Views
Last Modified: 2012-05-11
I want to perform the following on an 8-port IE3000 switch:

a. Allow only one IP address to connect to port FA1/8. I.e I have a device with a fixed IP address that I want to connect to that port. I don't want any other devices to connect to that port.

b. On the other ports I want any device connected to the port to only speak to the device connected on port FA1/8.

I looked at port ACL's but I can't find the exact syntax that I need
0
Comment
Question by:adimit
  • 8
  • 5
  • 3
16 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 188 total points
ID: 35202860
Firstly (although not essential) I would configure port-security on the port you want to restrict to one PC, by specifying its MAC address...

interface fa1/8
switchport port-security mac-address 0000.1111.2222



Then create a PACL for controlling access to that PC from the other ports, and one to control access from the restricted port.  Lets assume the PC connected to port fa1/8 has IP address 10.0.0.1....

ip access-list extended restrictclientaccess
 permit ip any host 10.0.0.1
 end

interface range fa1/1 - 8
 ip access-class restrictclientaccess in
 end

ip access-list extended restrictserveraccess
 permit ip host 10.0.0.1 any
 end

interface fa1/8
 ip access-class restrictserveraccess in
 end

0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 312 total points
ID: 35209211
You're also going to want to do the following:

interface fa1/8
switchport port-security maximum 1
switchport port-security violation protect

That's if you want the port to drop packets from unspecified mac addresses. If you want it to completely shutdown on the detection of a mac other than that which you specify, you should issue the "shutdown" command in place of "protect".
0
 

Author Comment

by:adimit
ID: 35216724
what would I do to port fa1/8 if I wanted it to have access two only 2 out of a possible 9 VLANS?
0
 

Author Comment

by:adimit
ID: 35216744
my switch does not accept the command ip access-class restrictclientaccess in
.

Is this command essential?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 188 total points
ID: 35216864
Yes, if it doesn't accept the command you may have an older version of IOS.

Can you paste the output from the following command:

sho version
0
 

Author Comment

by:adimit
ID: 35216889
I used the command ip access-group instead. Is that the equivalent?

Cisco IOS Software, IES Software (IES-LANBASE-M), Version 12.2(52)SE, RELEASE SO
FTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 06:31 by sasyamal
Image text-base: 0x00003000, data-base: 0x01800000

0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 312 total points
ID: 35216927
Question on issue B:

are devices connected to ports other than 1/8 in different subnets or vlans than each other? Are they in different subnets than the server on 1/8?

If the answer to both questions is no, and everything is in 1 subnet, your best bet is to use a private vlan for these machines, and configure 1/8 as a promiscuous port, and all other ports (that are connected to host devices) as an isolate port. Let me know if this is the case, and I can post an example config.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 188 total points
ID: 35216933
Wow, my bad!!

You are correct, the command is ip access-group, not ip access-class!!!

Apologies :-)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:adimit
ID: 35216950
all ports are on the same vlan. In my case vlan 103
0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 312 total points
ID: 35217152
That being the case, craig's solution will work for layer 3 traffic, but those hosts will still communicate layer 2 traffic, to include broadcasts. If you want to isolate broadcast traffic as well, you need to implement private vlans:

If you're on a vtp client, change it to transparent mode first.


vlan 103
name pri-vlan
private-vlan prim

vlan 113
name isolated-vlan
private-vlan isol

vlan 123
name comm-vlan
private-vlan comm


vlan 103
private-vlan assoc  113,123


int fa1/8
desc server
swi mod private-vlan prom
swi private-vlan mapping 103,113,123
end

int rang fa1/1  - 7
desc host ports
swi mod private-vlan host
swi private-vlan host-assoc 103,113
end


In this example, fa1/8 is your server port, and fa1/1-7 are your hosts. If you have a connection to another switch as a trunk, you need to trunk it normally, and do not apply the above config to that port. If it is connected via access or is connected to a router, replicate the config on the server port to that port.

Hosts will not be able to communicate with each other, but will be able to communicate to the server. Also, if you want to keep any other machines from connecting to port 1/8 physically, you need to implement the port security config that craig gave you, and the rest that I gave you. Without that config, any other mac address will be able to connect and pass traffic. Implementing the config for port security will limit the port to only the mac address that you specify, and drop frames from any other mac that gets connected.
0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 312 total points
ID: 35217206
Also, I'm using truncated commands, you may want to tab out on the truncated commands to get a good idea of what I'm having you do.

If you need a reference and explanation, here is a good place to start:


Cisco IE3000 12.2.52SE config guide
0
 

Author Comment

by:adimit
ID: 35217363
IN MY CASE I Want port fa1/8 to access vlan 103, 100 and 1

in your example what are vlan 113, and 123 ? are they the other vlans I want to communicate to?
0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 312 total points
ID: 35217693
Yes. Vlan 123 is a community vlan. Hosts in this vlan would be able to access each other, and members of vlan 103. Vlan 103 is the primary vlan, which may serve as the backbone (with private vlans you cannot use vlan 1). Vlan 113 is the isolated vlan, where you may place hosts that should not be able to communicate to each other.

With the private vlan model I've given you, you can set up the community vlan now in case you need it later, you don't particularly need it now with your environment.

As long as you haven't set up vlan 100 to be a private vlan, and you're able to route between vlans 103, 100, and 1, you should be fine setting the switch up the way i've shown you. If the other hosts that you want to isolate from each other need to access the internet, just make sure to set up the port that is facing your router/firewall/internet facing device or next hop device as a promiscuous port, which is the same configuration as port fa1/8.

This document can shed a little more light on how Private VLANs work. Your topology may differ slightly, but reading this will give you a better idea of what I'm telling you to do. The document is intended for large chassis switches, but it applies to your situation. focus on the Cisco IOS commands in the document, and not the CatOS commands. Private vlans can be confusing at first, so this may give you a little bit of a better understanding.

Cisco Private vlan explanation and configuration
0
 

Author Comment

by:adimit
ID: 35235058
I entered the private vlan info. I did not add an isolated VLAN. Upon doing this ports Fa 1/1 - 7 are yellow when i plug in a PC.  Notice Port FA1/6 (Port where PC is connected).

SHOW IP INT BRIEF

show ip int brief
Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  10.100.20.24    YES NVRAM  up                    up

Vlan100                unassigned      YES NVRAM  up                    up

Vlan103                unassigned      YES NVRAM  up                    up

FastEthernet1/1        unassigned      YES unset  down                  down

FastEthernet1/2        unassigned      YES unset  down                  down

FastEthernet1/3        unassigned      YES unset  down                  down

FastEthernet1/4        unassigned      YES unset  down                  down

FastEthernet1/5        unassigned      YES unset  down                  down

FastEthernet1/6        unassigned      YES unset  up                    down

FastEthernet1/7        unassigned      YES unset  down                  down

FastEthernet1/8        unassigned      YES unset  up                    up

GigabitEthernet1/1     unassigned      YES unset  up                    up

GigabitEthernet1/2     unassigned      YES unset  up                    up

Show VTP Status:

VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : xxx.local
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 68bd.abe9.e400
Configuration last modified by 10.100.20.24 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode                : Transparent
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 8
Configuration Revision            : 0
MD5 digest                        : 0x4C 0x30 0x6E 0x6F 0x9D 0x7C 0x33 0x42
                                    0x74 0x7A 0xFC 0x5B 0x18 0x04 0x4C 0xBD


show vlan: (notice that there are no associated ports)

LAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
100  100                            active
103  103                       active
123  VLAN-Communite                   active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
103  enet  100103     1500  -      -      -        -    -        0      0
123  enet  100123     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

SHOW CONFIG:

vlan 100
 name X
!
vlan 103
 name Y
  private-vlan primary
  private-vlan association 123
!
vlan 123
 name VLAN-Communite
  private-vlan community

interface FastEthernet1/6
 description XXXX
 witchport access vlan 103
 switchport private-vlan host-association 103 113
 switchport mode private-vlan host
 ip access-group restrictclientaccess in
 speed 100
 duplex full
 spanning-tree portfast

interface FastEthernet1/8
 description API
 switchport access vlan 103
 switchport private-vlan mapping 103 123
 switchport mode private-vlan promiscuous
 switchport port-security violation protect
 switchport port-security mac-address 000e.8cf4.ea38
 ip access-group restrictserveraccess in
 speed 100
 duplex full
 spanning-tree portfast


interface Vlan1
 ip address 10.100.20.24 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
interface Vlan100
 no ip address
 no ip route-cache
 no ip mroute-cache
!
interface Vlan103
 no ip address
 no ip route-cache
 no ip mroute-cache
0
 

Author Comment

by:adimit
ID: 35315609
I mis typed the commands. All of the expert comments helped to solve this issue
0
 

Author Closing Comment

by:adimit
ID: 35315626
This was a perfect solution. All comments were exact and they worked well
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now