Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
4
Replies

Access list applied to an ethernet port

Go to solution
john.wright
Level 3
Level 3

‎01-05-2011 06:02 AM - edited ‎03-06-2019 02:49 PM

I want to restrict access to a device on an ethernet port. I have the following very simple access list coded and applied on the port.

Extended IP access list 100
    10 permit ip 10.51.2.0 0.0.0.255 any

interface GigabitEthernet0/47
description Link to Media recorders
ip access-group 100 in
no logging event link-status
no snmp trap link-status
spanning-tree portfast
FYI: the devices on this port are actually connected to hub which in turn is connected to port 47.

Only network 10.51.2.0 is to be permitted access to these devices. All others are to be denied.

However I find that this applied access list does nothing to restrict my local network 10.49 from accessing the devices on the port.

What am I doing wrong?

2nd question

If I wanted to allow just one IP from the 10.49 subnet access to this port what would I code?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hobbe
Level 7
Level 7

‎01-05-2011 07:56 AM

ok first lets go through this,

The access-list is to be applied to a switch.

a switch can forward many different types of protocol, not only IP, the access-list will not stop that.

many people miss that small but quite important thing.

second the switch "normally" only accepts access-lists incoming towards the interface.

this means that if you add the access-list only on one interface it will only stop the traffic coming back, it will not stop fx udp to be sent TO the devices.

In your case you are permitting all traffic from the devices you are to "defend" wich means that the access list and the added second point above means that no traffic is restricted. ie all traffic allowed.

access-list 100 permit tcp 192.168.1.1 0 0.0.0.255 host 192.168.2.2 eq www

allows 192.168.1.1 network to enter the interface if the destination is 192.168.2.2 port 80

so how can we help you with this ?

well

we know that your devices are 10.51.2.220 - 223

And want to only allow the local site to access these video recorders but not the remote sites with one exception; your IP which is at 10.49.x.x.

so this is how I would do it.

access-list 100 permit ip host 10.51.2.220 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.221 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.222 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.223 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.220 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.221 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.222 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.223 host 10.49.x.x log

access-list 100 deny ip any any log

You can do it like this

access-list 100 permit ip 10.51.2.220 0.0.0.255 10.51.2.0 0.0.0.255 log

access-list 100 permit ip 10.51.2.220 0.0.0.255 host 10.49.x.x log

do not forget to add the access-list to the correct interface (ip access-group 100 in)
Its more specific to use the single host.
and I like specific. so thats how I would do it if need be.
However this does NOT in any way or form protect the units from much.
it only stops it from responding to traffic, the traffic still hits it you only make the traffic dissapear on the return.
If you want to know more about access-lists check in the command reference for your switch model and ios version.
Its quite nice.
Good luck
HTH

Message was edited by: hobbe

View solution in original post

0 Helpful
4 Replies 4

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎01-05-2011 06:41 AM

What is the address on the device on g0/47 ?  I suspect you have it applied in the wrong direction .

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to glen.grant

‎01-05-2011 06:54 AM

Hi John,

Try configure like below and see.

ip access-list extended 100
permit ip 10.51.2.0 0.0.0.255 any
deny   ip any any

interface Gi0/47
description Link to Media recorders
ip access-group 100 in

And as glent asked, please give us the device IP address which is connected in interface Gi0/47.

Please rate if this helps you.

Regards,

Naidu.

0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to glen.grant

‎01-05-2011 07:00 AM

The devices which are connected on a hub are 10.51.2.220 - 223

I want to only allow the local site to access these video recorders but not the remote sites with one exception; my IP which is a 10.49.x.x.

0 Helpful

Go to solution
hobbe
Level 7
Level 7

‎01-05-2011 07:56 AM

ok first lets go through this,

The access-list is to be applied to a switch.

a switch can forward many different types of protocol, not only IP, the access-list will not stop that.

many people miss that small but quite important thing.

second the switch "normally" only accepts access-lists incoming towards the interface.

this means that if you add the access-list only on one interface it will only stop the traffic coming back, it will not stop fx udp to be sent TO the devices.

In your case you are permitting all traffic from the devices you are to "defend" wich means that the access list and the added second point above means that no traffic is restricted. ie all traffic allowed.

access-list 100 permit tcp 192.168.1.1 0 0.0.0.255 host 192.168.2.2 eq www

allows 192.168.1.1 network to enter the interface if the destination is 192.168.2.2 port 80

so how can we help you with this ?

well

we know that your devices are 10.51.2.220 - 223

And want to only allow the local site to access these video recorders but not the remote sites with one exception; your IP which is at 10.49.x.x.

so this is how I would do it.

access-list 100 permit ip host 10.51.2.220 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.221 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.222 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.223 10.51.2.0 0.0.0.255 log

access-list 100 permit ip host 10.51.2.220 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.221 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.222 host 10.49.x.x log

access-list 100 permit ip host 10.51.2.223 host 10.49.x.x log

access-list 100 deny ip any any log

You can do it like this

access-list 100 permit ip 10.51.2.220 0.0.0.255 10.51.2.0 0.0.0.255 log

access-list 100 permit ip 10.51.2.220 0.0.0.255 host 10.49.x.x log

do not forget to add the access-list to the correct interface (ip access-group 100 in)
Its more specific to use the single host.
and I like specific. so thats how I would do it if need be.
However this does NOT in any way or form protect the units from much.
it only stops it from responding to traffic, the traffic still hits it you only make the traffic dissapear on the return.
If you want to know more about access-lists check in the command reference for your switch model and ios version.
Its quite nice.
Good luck
HTH

Message was edited by: hobbe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card