Link to home
Start Free TrialLog in
Avatar of HELFIT
HELFITFlag for United States of America

asked on

Limit traffic to specific Cisco port?

Is it possible to limit traffic to a specific port on a Cisco switch? We have a printer attached, and we would like only traffic from specific workstation to be allowed to communicate with this printer. To be more clear, lets say the printer is on switch port 10. I want the workstation that is using IP address 192.168.1.50 to have all access to that port, but deny all access to any other address.
SOLUTION
Avatar of David Needham
David Needham
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
PACL won't work here, Predrag. They only work on traffic coming from the printer, not to it.
Larger picture. :)
Printing is typically TCP traffic. 3 way handshake will not work, no TCP session will be established (or any other session based traffic). Port will block ARP reply etc
It won't work.  Trust me.
This has nothing with trust... But with how technology works, that's all. It will work if configured correctly.
So, don't trust me on this... test it...
I already have, Predrag.  In fact, I've tested it extensively in hospitals, universities, schools, businesses, etc.

I've even got it configured on my 3750E at home, so I know it doesn't work.

I've configured it statically and using RADIUS/dACL.

Read the question again...

Is it possible to limit traffic to a specific port on a Cisco switch?

I want the workstation that is using IP address 192.168.1.50 to have all access to that port, but deny all access to any other address.

The answer to that, when using a PACL, is no.  PACLs limit traffic FROM a specific port, not TO a specific port.  PACLs work on ingress, not egress.
In fairness though, Predrag, I know where you're going.

If you take a simple example, you can block access from the printer to everything apart from the one IP, but that's not what was asked.  It's the reverse.  The question asks how to block everything TO the printer on a specific port apart from one IP.

It might sound like I'm splitting hairs here, but I'm just going on the specifics of the question. :-)
Let's assume we block FROM the printer, doing it Predrag's way :-) ...

ip access-list extended PRINTER-ACL
 permit ip any host 192.168.1.50
 deny ip any any
!
interface GigabitEthernet0/10
 ip access-group PRINTER-ACL in
I initially wrote the same as you did and then wrote VACL configuration. 😀
And then I realize that it can be done both ways, so I deleted VACL code, although it is preferred solution (it will save some traffic).
Yep, VACL is preferred unless you just want to restrict traffic coming into the port from the attached device, towards the rest of the network.

VACL works best across the switch and offers greater flexibility.