Re: ACL for Layer 2 Switch

kalia1251 · ‎08-22-2018

Hi,

I have a situation on a new site which has a Security System in place (DVR).

Business only wants 3 users/pc's to have access to the Security System.

How do i implement an ACL that only 3 static IPs (3 users/pc's) can acccess the Host IP (DVR) ?

Can somebody please help how do i go about doing it.

Thanks,

Niraj

balaji.bandi · ‎08-22-2018

Since we do not what switch it is, You can start with simple ACL and build as you understand.

access-list 102 permit ip userpcip1 mask host DVR

access-list 102 permit ip userpcip2 mask host DVR

access-list 102 permit ip userpcip3 mask host DVR

apply the ACL to interface where DVR connected

interface gigabitethernet1/1

ip access-group 102 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kalia1251 · ‎08-23-2018

Hi Balaji,

Thanks for the config.

Switch is a WS-C2960X-24PS-L.

I have tried the configuration that you have mentioned. but after applying the ACL i can't ping the machines (i am using 2 laptops as a trial).

Below is the config. I have left the configuration very basic as it's not in production.

Extended IP access list 102

10 permit ip 192.0.0.0 0.255.255.255 host 192.168.1.1

interface GigabitEthernet1/0/8

ip access-group 102 in.

On int gi1/0/8 i have laptop connected with a static ip 192.168.1.1 (host i.e. dvr as a test)

device 192.168.1.10 is another device that i want to be only access 192.168.1.1.

it's a /24 network that i have applied on the switch. i have applied inverse mask 0.255.255.255 in the configuration that you have mentioned.

After applying this config to the interface 8 both the device can't ping each other. If i remove the configuration it does work which is obvious.

Am i missing something ?

balaji.bandi · ‎08-23-2018

If you want to test some lab environment, that is good before you do in production.

Rather using whole subnet /24 try /32.

Example : (this means 192.168.1.10 able to access 192.168.1.1 - rest all deny)

access-list 102 permit ip host 192.168.1.10 host 192.168.1.1
access-list 102 permit ip host 192.168.1.1 host 192.168.1.10
access-list 102 deny ip any any log

interface GigabitEthernet1/0/8

ip access-group 102 in

Once this is working tweak as you like, since it is Lab and understand how the ACL works.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kalia1251 · ‎08-26-2018

It did work as you have mentioned.

In a similar manner is it possbile to create an ACL using MAC address instead of IP ?

Reason being if the vendor changes the IP of the DVR than it will be exposed once again.

balaji.bandi · ‎08-27-2018

You can achieve the same way as above ACL, as long as you understand how the ACL working with above example. you can build one easy as per your dynamic requirements coming in the future.

Note : look at the command syntax based on the IOS you running and IOS support.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kalia1251 · ‎08-27-2018

Hi Balaji,

Thanks for the info.

I got the MAC ACL working as well.

Just have another question though.

Is it possible to have a MAC based ACL but only Host A can communicate to DVR and DVR cant communicate back to Host A.

What i mean is for e.g. Host A can only remote onto/ping etc to DVR and DVR should not be able to do the inverse. Hope this makes sense.

To make this work i have applied below ACL but when i apply this ACL all the communication stops no pings at all between both the HOSTS.

mac access-list extended dvr

permit host 28d2.44e3.6b1e host 3c18.a00a.b3c5

first host is a dummy user and second host is the dummy DVR. With the ACL nothing works. But if i apply the below ACL both the hosts can communicate to each other i.e. ping, unc etc.

mac access-list extended dvr

permit host 28d2.44e3.6b1e host 3c18.a00a.b3c5

permit host 3c18.a00a.b3c5 host 28d2.44e3.6b1e

balaji.bandi · ‎08-28-2018

MAC based access-list have some limitation compare to ip access list.

Suggest to read the limitation in Cisco Site - Depends on IOS and Model of the device you running.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

riteshsh · ‎08-23-2018

Hi Niraj,

My name is Ritesh Sharma from Cisco TAC.

In order to understand the issue better, please answer the below questions:

1. Mention the switch model number?

2. How many VLAN's you have created in the switch?

3. The DVR and the devices are in separate VLAN's or in same VLAN?

4. How many devices are connected in that VLAN?

5. Do you want these 3 devices to be able to communicate with each other or any other device connected to the same VLAN or not?

You can achieve the same by creating 3 different ACL rules in the switch by allowing destination IP as IP address of DVR and 3 different source IP of users.

This 3 allow rules should be followed by a deny rule with source IP as network IP of VLAN and the destination should also be the same. (e.g. :- 192.168.1.0).

By creating the same, no device will e able to communicate with each other in the same VLAN, however the 3 mentioned device will be able to communicate with DVR.

Please mark it as helpful if it resolves your issue.

Thanks and regards

Ritesh Sharma