Allow 3389, http, https

cscisco_admin · ‎06-12-2009

Hi!

I have a 24 Ports Cisco 3750 Switch. Is it possible to configure any of its port to allow only 3389, http and https requests coming from the IP Range 192.168.10.71, 192.168.10.100 Mask: 255.255.255.0 and block all others ports and IP Ranges?

Thanks!

Laurent Aubert · ‎06-12-2009

Hi,

When you translate 71 and 100 into binary, it looks like:

71: 0100 0111

100: 0110 0100

Only the two first bits never change so the closest range to 71-100 is 64-127. So it doesn't worth it playing with the wildcard mask.

The ACL with the minimum number of lines will be the one with one line per IP address of the range 71-100 and per TCP port (29x3=87 lines):

access-list 100 permit tcp host 192.168.10.x any eq 3389

access-list 100 permit tcp host 192.168.10.x any eq 80

access-list 100 permit tcp host 192.168.10.x any eq 443

with 71<=x<=100

You can then apply this ACL in input on the port of the switch:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667255

HTH

Laurent.

jgagznos · ‎06-12-2009

Just to add to what Laurent said - you could also use VACLS (VLAN ACLS) / VLAN Maps to control traffic contained within a VLAN. Laurent's configuration example would work between VLANs.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667683

cscisco_admin · ‎06-15-2009

Can it be done from the Web Interface of the switch?

Thanks!

Laurent Aubert · ‎06-16-2009

Sorry I'm a CLI guy ;-)

Laurent.