Im attempting to configure an ACL on a Cisco switch but it seems to be a bit different than the routers.
I need to allow only one host to talk thru port 24 of my switch but it wont let me apply an ACL to a single port. So I need to apply it to VLAN1.
I have 5 devices sitting behind port 24 - each with its own IP. I need to deny ALL but one IP from talking with the 5 hosts/IPs.
How would the ACL look for this situation?
Thanks in advance for any help!
In article , Jake wrote: :Im attempting to configure an ACL on a Cisco switch but it seems to be a bit :different than the routers.
:I need to allow only one host to talk thru port 24 of my switch but it wont :let me apply an ACL to a single port. :So I need to apply it to VLAN1.
Hmmm... ACLs on a switch, VLANs on the same switch, the possibility of applying ACLs to that VLAN.... explicit differentiation between 'switch' and 'router'....
My deduction is that you are either using an older switch with CatOS, or else that you are using a newer switch such as the Cat 2950 or Cat 3550 (or 3750, but you probably wouldn't have called that a 'switch'.)
:I have 5 devices sitting behind port 24 - each with its own IP. :I need to deny ALL but one IP from talking with the 5 hosts/IPs.
:How would the ACL look for this situation?
If you are indeed using a 3550/3750, then the behaviour is different depending on whether the port is set to access mode or not. In switching mode, you can (if I recall correctly) apply ACLs per port; in access mode, the ACLs have to go on the VLAN.
If you are using a 2950 or 3550/3750 and you have to apply the ACL to the VLAN, then if I correctly recall something I briefly skimmed in this newsgroup a few weeks ago, the ACL is applied
*outgoing* on the VLAN.Something like...
access-list 101 permit ip host SERVER host CLIENT1 access-list 101 permit ip host SERVER host CLIENT2 access-list 101 permit ip host SERVER host CLIENT3
interface VLAN101 ip access group 101
However, if you -are- using a 3750 (or 3550?) then there is another facility entirely that you may wish to consider. The 3750 (and possibly other relatives) has a facility to define port groups in which all incoming data to any member of the port group is directed to a particular set of output ports, and only those output ports are allowed to send traffic to any member of the port group. In particular, the port group members are not allowed to send data amongst themselves directly... something that is easy to overlook if you use an ACL based scheme (e.g., if CLIENT1 sends to CLIENT2 then does the traffic "exit" VLAN1 in such a way that the ACL gets interposed?)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.