networknewbie99
MIS
Here's a stupid question for everyone ..... How do I apply an ACL i have written to a specific port on a 2924xl?????
Please help me!!!!!!!
Please help me!!!!!!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ACL's on 2924xls Ay Carumba!!!!
- Thread starter networknewbie99
- Start date
- Status
You can't do this on a 2900XL (nor the 3500XL). The ACL's can only be used to restrict VTY access and SNMP etc. There are no filtering capabilities (except broadcast & multicast suppression) on this platform.
Minimum to apply ACL's to interfaces is a 2950.
Andy
Minimum to apply ACL's to interfaces is a 2950.
Andy
- Thread starter
- #3
networknewbie99
MIS
so how would i restrict traffic? multi-vlan?
You can't at a layer-2 level, if you put a router or layer-3 switch in the equation then you can restrict traffic on this easily with ACLs attached to interfaces. This would be at a Layer-3 (routing) level though. You cannot restrict traffic within the same broadcast domain (VLAN) with the 2900XL
Andy
Andy
- Thread starter
- #5
networknewbie99
MIS
I did a post about connecting remote offices to the head office (which is vlan'd) and granting specific server access to specific remote users and was told this can be done with acl's .... i guess my nightmare just got worse 
dammit all
thank you for trying to help however
dammit allthank you for trying to help however
I just read your post regarding VLANs & Frame Relay - I assume this is the one you refer to?
OK. Your central site uses a Layer-3 Catalyst 4500. You currently have 10 VLAN's and you have ACLs applied restricting access between VLANs?
You have a FR WAN with 4 remote sites? You don't state how these currently connect, although you state that they must be on VLANs? Can't quite see the logic here but I'll continue. You say the routers are 2600 - how and where are these connected and how many are there?
It would seem that you probably have a routed WAN and what you want to achieve is to restrict what each of these remote FR sites can connect to at the Core site? If this is the case you need to build a list of source & destination IP networks/hosts etc that should be allowed and denied.
For example remote site A is subnet 10.10.10.0/24. At the central site you have a VLAN - VLAN#20 10.20.20.0/24, on this VLAN are 2 servers X (10.20.20.20) and Y (10.20.20.30). Users at the remote subnet need to access server X but NOT Y. From this information you would create an ACL as follows:
ip access-list extended Site-A-Restrictions
permit ip 10.10.10.0 0.0.0.255 host 10.20.20.20
deny ip 10.10.10.0 0.0.0.255 host 10.20.20.30
!
interface VLAN 20
ip address 10.20.20.1 255.255.255.0
ip access-group Site-A-Restrictions out
That is pretty simplified but you should get the idea. Once you have your list you can then create your ACL's and apply them. Bear in mind you can only have 1 inboudn and 1 outbound IP ACL per interface so you will probably need to combine things. Once other thing to understand is the implicit deny at the end of an ACL, this will stop any other traffic that doesn't explicitly match an entry in the ACL. You can overide this default action by add the line 'ip permit any any' to the end of the ACL.
Andy
OK. Your central site uses a Layer-3 Catalyst 4500. You currently have 10 VLAN's and you have ACLs applied restricting access between VLANs?
You have a FR WAN with 4 remote sites? You don't state how these currently connect, although you state that they must be on VLANs? Can't quite see the logic here but I'll continue. You say the routers are 2600 - how and where are these connected and how many are there?
It would seem that you probably have a routed WAN and what you want to achieve is to restrict what each of these remote FR sites can connect to at the Core site? If this is the case you need to build a list of source & destination IP networks/hosts etc that should be allowed and denied.
For example remote site A is subnet 10.10.10.0/24. At the central site you have a VLAN - VLAN#20 10.20.20.0/24, on this VLAN are 2 servers X (10.20.20.20) and Y (10.20.20.30). Users at the remote subnet need to access server X but NOT Y. From this information you would create an ACL as follows:
ip access-list extended Site-A-Restrictions
permit ip 10.10.10.0 0.0.0.255 host 10.20.20.20
deny ip 10.10.10.0 0.0.0.255 host 10.20.20.30
!
interface VLAN 20
ip address 10.20.20.1 255.255.255.0
ip access-group Site-A-Restrictions out
That is pretty simplified but you should get the idea. Once you have your list you can then create your ACL's and apply them. Bear in mind you can only have 1 inboudn and 1 outbound IP ACL per interface so you will probably need to combine things. Once other thing to understand is the implicit deny at the end of an ACL, this will stop any other traffic that doesn't explicitly match an entry in the ACL. You can overide this default action by add the line 'ip permit any any' to the end of the ACL.
Andy
I believe you should have a WAN router at your head office connecting different FR PVCs from remote offices. If you want to restrict server access from remote offices, or even restrict access between remote offices, then you need to apply ACL on your WAN router serial interfaces or sub-interfaces for your FR PVCs like this:
ip access-list extended to_server1n2
permit ip a.b.c.0 0.0.0.255 host w.x.y.z
permit ip a.b.c.0 0.0.0.255 host e.f.g.h
!
ip access-list extended from_server1n2
permit ip host w.x.y.z a.b.c.0 0.0.0.255
permit ip host e.f.g.h a.b.c.0 0.0.0.255
!
interface s0/0.1
description FR PVC to remote office 1 (a.b.c.0/24)
ip access-group to_server1n2 in
ip access-group from_server1n2 out
!
This will only provide access from remote office 1 LAN to server e.f.g.h and w.x.y.z. Any other traffic will be denied.
Of course if you are running dynamic routing protocols over the FR cloud then you also need to permit those routing protocols:
ip access-list extended to_server1n2
permit ip a.b.c.0 0.0.0.255 host w.x.y.z
permit ip a.b.c.0 0.0.0.255 host e.f.g.h
permit udp any any eq rip
permit igrp any any
permit eigrp any any
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
!
ip access-list extended from_server1n2
permit ip host w.x.y.z a.b.c.0 0.0.0.255
permit ip host e.f.g.h a.b.c.0 0.0.0.255
permit udp any any eq rip
permit igrp any any
permit eigrp any any
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
!
Omit those you don't need...
ip access-list extended to_server1n2
permit ip a.b.c.0 0.0.0.255 host w.x.y.z
permit ip a.b.c.0 0.0.0.255 host e.f.g.h
!
ip access-list extended from_server1n2
permit ip host w.x.y.z a.b.c.0 0.0.0.255
permit ip host e.f.g.h a.b.c.0 0.0.0.255
!
interface s0/0.1
description FR PVC to remote office 1 (a.b.c.0/24)
ip access-group to_server1n2 in
ip access-group from_server1n2 out
!
This will only provide access from remote office 1 LAN to server e.f.g.h and w.x.y.z. Any other traffic will be denied.
Of course if you are running dynamic routing protocols over the FR cloud then you also need to permit those routing protocols:
ip access-list extended to_server1n2
permit ip a.b.c.0 0.0.0.255 host w.x.y.z
permit ip a.b.c.0 0.0.0.255 host e.f.g.h
permit udp any any eq rip
permit igrp any any
permit eigrp any any
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
!
ip access-list extended from_server1n2
permit ip host w.x.y.z a.b.c.0 0.0.0.255
permit ip host e.f.g.h a.b.c.0 0.0.0.255
permit udp any any eq rip
permit igrp any any
permit eigrp any any
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
!
Omit those you don't need...
- Status
Similar threads
- Locked
- Question
- Locked
- Question