cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
5
Helpful
8
Replies

ACL for Layer 2 Switch

kalia1251
Level 1
Level 1

Hi,

 

I have a situation on a new site which has a Security System in place (DVR).

 

Business only wants 3 users/pc's to have access to the Security System.

 

How do i implement an ACL that only 3 static IPs (3 users/pc's) can acccess the Host IP (DVR) ?

 

Can somebody please help how do i go about doing it.

 

Thanks,

 

Niraj 

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

 

Since we do not what switch it is, You can start with simple ACL and build as you understand. 

 

access-list 102 permit ip  userpcip1  mask  host DVR

access-list 102 permit ip  userpcip2  mask  host DVR

access-list 102 permit ip  userpcip3  mask  host DVR

 

apply the ACL to interface where DVR connected

 

interface gigabitethernet1/1

ip access-group 102 in

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

Thanks for the config.

 

Switch is a WS-C2960X-24PS-L.

I have tried the configuration that you have mentioned. but after applying the ACL i can't ping the machines (i am using 2 laptops as a trial).

 

Below is the config. I have left the configuration very basic as it's not in production.

 Extended IP access list 102 

10 permit ip 192.0.0.0 0.255.255.255 host 192.168.1.1

 

interface GigabitEthernet1/0/8

ip access-group 102 in.

 

On int gi1/0/8 i have laptop connected with a static ip 192.168.1.1 (host i.e. dvr as a test)

device 192.168.1.10 is another device that i want to be only access 192.168.1.1.

 

it's a /24 network that i have applied on the switch. i have applied inverse mask 0.255.255.255 in the configuration that you have mentioned.

 

After applying this config to the interface 8 both the device can't ping each other. If i remove the configuration it does work which is obvious.

 

Am i missing something ?

If you want to test some lab environment, that is good before you do in production.

 

Rather using whole subnet /24 try /32.

 

Example : (this means 192.168.1.10 able to access 192.168.1.1  - rest all deny)

 

access-list 102 permit ip host 192.168.1.10 host 192.168.1.1 
access-list 102 permit ip host 192.168.1.1 host 192.168.1.10 
access-list 102 deny ip any any log

 

interface GigabitEthernet1/0/8

ip access-group 102 in

 

Once this is working tweak as you like, since it is Lab and understand how the ACL works.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

It did work as you have mentioned.

 

In a similar manner is it possbile to create an ACL using MAC address instead of IP ?

 

Reason being if the vendor changes the IP of the DVR than it will be exposed once again.

 

 

You can achieve the same way as above ACL, as long as you understand how the ACL working with above example. you can build one easy as per your dynamic requirements coming in the future.

 

Note : look at the command syntax based on the IOS you running and IOS support.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

Thanks for the info.

 

I got the MAC ACL working as well.

Just have another question though.

 

Is it possible to have a MAC based ACL but only Host A can communicate to DVR and DVR cant communicate back to Host A.

What i mean is for e.g. Host A can only remote onto/ping etc to DVR and DVR should not be able to do the inverse. Hope this makes sense.

 

To make this work i have applied below ACL but when i apply this ACL all the communication stops no pings at all between both the HOSTS.

 

 

mac access-list extended dvr

permit host 28d2.44e3.6b1e host 3c18.a00a.b3c5

 

first host is a dummy user and second host is the dummy DVR. With the ACL nothing works. But if i apply the below ACL both the hosts can communicate to each other i.e. ping, unc etc.

 

mac access-list extended dvr

permit host 28d2.44e3.6b1e host 3c18.a00a.b3c5

permit host 3c18.a00a.b3c5 host 28d2.44e3.6b1e

MAC based access-list have some limitation compare to ip access list.

 

Suggest to read the limitation in Cisco Site - Depends on IOS and Model of the device you running.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

riteshsh
Cisco Employee
Cisco Employee

Hi Niraj,

 

My name is Ritesh Sharma from Cisco TAC.

 

In order to understand the issue better, please answer the below questions:

 

1. Mention the switch model number?

2. How many VLAN's you have created in the switch?

3. The DVR and the devices are in separate VLAN's or in same VLAN?

4. How many devices are connected in that VLAN?

5. Do you want these 3 devices to be able to communicate with each other or any other device connected to the same VLAN or not?

 

You can achieve the same by creating 3 different ACL rules in the switch by allowing destination IP as IP address of DVR and 3 different source IP of users.

This 3 allow rules should be followed by a deny rule with source IP as network IP of VLAN and the destination should also be the same. (e.g. :- 192.168.1.0).

 

By creating the same, no device will e able to communicate with each other in the same VLAN, however the 3 mentioned device will be able to communicate with DVR.

 

Please mark it as helpful if it resolves your issue.

 

Thanks and regards

Ritesh Sharma