Solved: Hi Julio,

gasparmenendez · ‎02-10-2017

Hi folks, I need to filter some ip addresses in a specific port of my Cisco 3750 Switch and want to see if that's possible. The scenario is as follow:

I have a bunch of channels coming from an AGB equipment and entering to the 3750 through interface gig 1/0/1 configured as access to vlan69. When I set int gig 1/0/2 to access vlan 69 and connect my laptop to that interface I can watch all channels with VLC. So far so good. Now, what I need is that in interface gig 1/0/2 be only some channels, not the whole bunch, is that possible??? I was thinking in an access list permiting only the channels I need and then ip access-group ACCESSLIST out, would that work???

Thanks in advance. BR

Julio E. Moisa · ‎02-14-2017

Hi

You can specify UDP ports or entire UDP traffic as well, if you are using a layer 2 port (switchport) you can only use IN.

But if you convert the port to Layer 3 (to be used with IP address) you can use IN and OUT.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎02-10-2017

Hi

You could use an access-list to filter the subnets or hosts, if they are inbound traffic you should use IN instead OUT way.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-10-2017

Thank you very much Julio, tomorrow I´ll try that and post results.

BR.

Julio E. Moisa · ‎02-11-2017

Hi

You are welcome, please keep me posted.

Have a good day

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-14-2017

I forgot to mention that is UDP traffic...what I'm sending are TV channels

Julio E. Moisa · ‎02-14-2017

Hi

You can specify UDP ports or entire UDP traffic as well, if you are using a layer 2 port (switchport) you can only use IN.

But if you convert the port to Layer 3 (to be used with IP address) you can use IN and OUT.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-11-2017

sorry, didn't work....

first of all command ip access-group ACCESSLIST didn't accept out for outbound traffic...look here:

Sw-Video(config-if)#ip access-group AGUERRERO out
^
% Invalid input detected at '^' marker.

and the traffic I want to filter is outbound, for sure:

Sw-Video#show interface gigabitEthernet 1/0/5 | i rate
Queueing strategy: fifo
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 679588000 bits/sec, 62396 packets/sec

any ideas???

BR.

Julio E. Moisa · ‎02-15-2017

I would like to know what kind of device is connected to the switch on that interface. or do you have a topology?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-14-2017

I'll try to use the port as Layer 3 to see how it goes...

thanks a lot!!

gasparmenendez · ‎02-15-2017

Hi Julio,

can I specify ip addresses instead of ports??? I'm doing that already but is not working...

I placed a second switch connected to the first one. I'm sending tv channels from the first one to the second one, so in the second one I placed the filter for the inbound traffic, like this:

interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 69
switchport mode trunk
ip access-group AGUERRERO in

ip access-list standard AGUERRERO
permit 239.1.1.49
permit 239.1.1.25
deny any

but what I have going out in the first switch is exactly the same I'm receiving in the second one, check it out:

Sw-Video#show interfaces gigabitEthernet 1/0/5 | i rate
Queueing strategy: fifo
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 689264000 bits/sec, 63096 packets/sec

SWTelevision2#show interfaces gigabitEthernet 1/0/1 | i rate
Queueing strategy: fifo
5 minute input rate 689846000 bits/sec, 63151 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

this thing is driving me crazy....

Julio E. Moisa · ‎02-15-2017

Hi

Please execute:

show ip access-list AGUERRERO

do you have hits? Just a question, did you try with L3 ports? You can use port PACL on the trunk, it works on L2 interfaces and RACL works on L3 ports.

It could be useful:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.pdf

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-15-2017

here's the output, but I don't know how to read it....????

SWTelevision2#show ip access-lists AGUERRERO
Standard IP access list AGUERRERO
    10 permit 239.1.1.49
    20 permit 239.1.1.25
    30 deny   any

sorry but I didn't try L3 ports, it seemed more complicated...

Julio E. Moisa · ‎02-15-2017

Try to use extended ACL

for exampel

ip access-list extended AGUERRERO-EXT
permit ip host 239.1.1.49 any
permit ip host 239.1.1.25 any
deny ip any any

Note: if you set up the deny ip any any, the access above of that will be allowed only so if you are going to permit other type of traffic please include them before the deny line.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

gasparmenendez · ‎02-15-2017

done!, but same o same o....

SWTelevision2#show ip access-lists AGUERRERO-EXT
Extended IP access list AGUERRERO-EXT
    10 permit ip host 239.1.1.49 any
    20 permit ip host 239.1.1.25 any
    30 deny ip any any

Julio E. Moisa · ‎02-15-2017

Could you please share your config?

Thank you in advance.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

3750 ip filtering