Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

switching ACL help

Status
Not open for further replies.
pirateclem

pirateclem

Technical User
Feb 4, 2005
68
US
At my location I have a 4506/4507 pair at the core and 3550 edge switches. I have a client on one particular port which has a static IP. I would like to keep this client from running a network scanner. I cannot control what is installed on the client, it is in my network and has routes to everything. I figured if I could keep this client from passing SNMP and ICMP this will not be a problem. The 3550 that this clients port is on has a basic ACL configured which allows all traffic it this clients subnet to be passed. ie:
basic acl 10
10 permit 10.1.1.0 0.0.0.255 any any

So, if I put an extended ACL on to keep this one client from doing something it will not matter since extended acl's begin at 100...correct?

extended acl 100
10 deny tcp 10.1.1.5 0.0.0.0 eq snmp

Basicaly no good right? What else can I do? Can I limit traffic at the core switches? Routing between multiple VLAN's at the cores. Input?
 
Sort by date Sort by votes
I have not needed ACL's on my edge switches before. Guess I was confused. Set up the acl today and figured out that I could apply it to a specific port. Anyone have an idea which protocols need to be blocked to stop a network scanner?
 
Upvote 0 Downvote
Your best bet would be to deny this host everything first and then open up only the network resources it needs.
 
Upvote 0 Downvote
What services does the user need? Find out what he actually needs to do his job (I.E. www, telnet, ftp, etc) and then deny everything else. then apply that list as OUTBOUND access-group on his interface.

access-list 101 permit tcp host x.x.x.x to any eq www
access-list 101 permit tcp host x.x.x.x to any eq ftp
access-list 101 deny ip any any

 
Upvote 0 Downvote
I spoke with Cisco today and the engineer stated that I had to apply the ACL to the VLAN interface that this client was a member of rather than to the port that the client is connected to. Does this sound right? I thought I could put an ACL on anything given: a.) Thing to apply the access list (group) to b.)the access list c.)the direction it is applied in. Input? I really thought I could make the access list say: access-list extended 100. Then apply it as access-group 100 in to fa 0/1 for instance. If I have the IP address correct for that client then the described traffic would not be able to enter that port on the switch from that client. Nip it in the bud rather than at the VLAN level. Am I right or wrong?
 
Upvote 0 Downvote
Actually, they are right.. You can't apply an access-group to a switched interface, only a routed interface. You can apply it to vlan interface as an outbound list.
 
Upvote 0 Downvote
Ah. Well the switch let me apply it, thats probably where I got confused. So do I apply it to VLAN X as an access group on the edge switch or in one of the cores? VLAN 90 can be an interface on the edge but will it work right?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
559
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
694
BIS
BIS
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
279
burtsbees
burtsbees
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
284
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
652
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top