03-28-2005 02:49 PM - edited 03-05-2019 11:28 AM
I need to filter WWW traffic via ACL on my 2950. What I would like to do is say deny all WWW traffic accept for my intranet site. I can't seem to get passed the sequence of commands. Any suggestions? Vlad
03-29-2005 12:56 AM
You may have a problem with this. The 2950 is a layer2 switch. It does not check layer3 info in the packets that it forwards, the switch uses (layer2)mac adresses to make forwarding descisions. You can only do some L3 stuff on the mgmt interface but this will not suffice.
What you need is something like:
access-list 1xx permit ip 1.1.1.0 0.0.0.255 any eq http
int vlan 2
descr To Internet router
ip address y.y.y.y.
ip access-group 1xx out
This will only work on a layer3 switch or you may configure this on a router.
Regards,
Leo
03-29-2005 07:32 AM
Actually, it appears that you can do this with a 2950, much to my surprise. Take a look at the URL below:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950cr/cli1.htm#wp3460366
The biggest requirement is that you have a 2950 with an EI license. In the scenario described, the ACL would look something like:
access-list 100 permit tcp any host
access-list 100 deny tcp any any eq www
access-list 100 permit ip any
Once you have the ACL built, you then need to associate it to a physical interface. This would look like:
interface FastEthernet0/1
ip access-group 100 in
Looking at the ACL and how it is applied to the interface, the first line allows any system that traffic passes through FastEthernet0/1 to communicate to the IP address of your Intranet webserver. The second line of the ACL denies all other www traffic. The third line of the ACL permits all remaining IP traffic. Without the third line, all traffic will be denied based on the implicit deny any any as the last line of all ACL's.
One other thing to consider would be if you are using HTTPS on your intranet site. If so, you will need to add an entry in the ACL that looks like:
access-list 100 permit tcp any host
access-list 100 deny tcp any any eq 443
These two additional entries should bee placed before the final line in the ACL. You will also need to place an entry for all IP addresses of your intranet webservers that you want to allow access to. Just repeat the same ACL entries adjusting for the IP's of your webservers. If all of your webservers are on a single subnet, you can replace the host
You can also apply this ACL to multiple interfaces without having to define an ACL per interface unless you have different policies that you would like to apply.
HTH
Steve
03-29-2005 12:00 PM
Steve,
Thanks for your reply. Your ACL examples makes perfect sence, however I get an error message when I try to assign this ACL to any interface:
Cisco#conf t
Cisco(config)#int fa0/2
Cisco(config-if)#ip access-gr 100 in
%Error: The field sets of all the ACEs in an ACL on Ethernet interface should match.
Please refer to the Software Configuration Guide to understand one mask restriction for ACLs on Ethernet interface.
03-29-2005 12:30 PM
Hello,
can you post your access list 100 ? The error message means that you use different masks in the access control entries in your access list; the masks should all be the same.
HTH,
GP
03-30-2005 06:49 AM
This is the entry on the Cat2950. I have read the part that speaks about the same mask, but how do solve the filtering problem then.
**********************
access-list 100 permit tcp any host (example 192.168.10.5) eq www
access-list 100 deny tcp any any eq www
access-list 100 permit ip any any
**********************
Thank you for any suggestions.
Vlad
03-30-2005 09:40 AM
Vlad,
The line that is giving the error is:
access-list 100 deny tcp any any eq www
I've looked at the documentation for the limitation you are up against and have done some testing on a 2950 that I have and may have a solution for you.
If you are trying to restrict access to the Internet from the devices connected to the ports you are trying to apply the filter to, you can change the filter to allow communication to your subnets only and deny everything else. That ACL will look like:
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 192.168.11.0 0.0.0.255
access-list 100 deny ip any any
This will allow traffic to the example subnets 192.168.10.0/24 and 192.168.11.0/24. The final line is not required as it is implied and will deny all other IP traffic to any other IP address.
If you goal is to limit web traffic only, the only option that looks like it will work is to perform the filtering on a router or a firewall.
If I can help further, please let me know.
Steve
03-31-2005 11:32 AM
Thanks everyone for pitching in, everyone's answers have been very informative. Sounds like I need to stick to the router.
Vlad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide