cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2008
Views
10
Helpful
7
Replies

ACL on Cat2950

vantipov
Level 1
Level 1

I need to filter WWW traffic via ACL on my 2950. What I would like to do is say deny all WWW traffic accept for my intranet site. I can't seem to get passed the sequence of commands. Any suggestions? Vlad

7 Replies 7

lgijssel
Level 9
Level 9

You may have a problem with this. The 2950 is a layer2 switch. It does not check layer3 info in the packets that it forwards, the switch uses (layer2)mac adresses to make forwarding descisions. You can only do some L3 stuff on the mgmt interface but this will not suffice.

What you need is something like:

access-list 1xx permit ip 1.1.1.0 0.0.0.255 any eq http

int vlan 2

descr To Internet router

ip address y.y.y.y.

ip access-group 1xx out

This will only work on a layer3 switch or you may configure this on a router.

Regards,

Leo

Actually, it appears that you can do this with a 2950, much to my surprise. Take a look at the URL below:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950cr/cli1.htm#wp3460366

The biggest requirement is that you have a 2950 with an EI license. In the scenario described, the ACL would look something like:

access-list 100 permit tcp any host eq www

access-list 100 deny tcp any any eq www

access-list 100 permit ip any

Once you have the ACL built, you then need to associate it to a physical interface. This would look like:

interface FastEthernet0/1

ip access-group 100 in

Looking at the ACL and how it is applied to the interface, the first line allows any system that traffic passes through FastEthernet0/1 to communicate to the IP address of your Intranet webserver. The second line of the ACL denies all other www traffic. The third line of the ACL permits all remaining IP traffic. Without the third line, all traffic will be denied based on the implicit deny any any as the last line of all ACL's.

One other thing to consider would be if you are using HTTPS on your intranet site. If so, you will need to add an entry in the ACL that looks like:

access-list 100 permit tcp any host eq 443

access-list 100 deny tcp any any eq 443

These two additional entries should bee placed before the final line in the ACL. You will also need to place an entry for all IP addresses of your intranet webservers that you want to allow access to. Just repeat the same ACL entries adjusting for the IP's of your webservers. If all of your webservers are on a single subnet, you can replace the host with the subnet address by using 192.168.1.0 0.0.0.255 (I'm using this subnet as an example, replace with the appropriate one if applicable.)

You can also apply this ACL to multiple interfaces without having to define an ACL per interface unless you have different policies that you would like to apply.

HTH

Steve

Steve,

Thanks for your reply. Your ACL examples makes perfect sence, however I get an error message when I try to assign this ACL to any interface:

Cisco#conf t

Cisco(config)#int fa0/2

Cisco(config-if)#ip access-gr 100 in

%Error: The field sets of all the ACEs in an ACL on Ethernet interface should match.

Please refer to the Software Configuration Guide to understand one mask restriction for ACLs on Ethernet interface.

Hello,

can you post your access list 100 ? The error message means that you use different masks in the access control entries in your access list; the masks should all be the same.

HTH,

GP

This is the entry on the Cat2950. I have read the part that speaks about the same mask, but how do solve the filtering problem then.

**********************

access-list 100 permit tcp any host (example 192.168.10.5) eq www

access-list 100 deny tcp any any eq www

access-list 100 permit ip any any

**********************

Thank you for any suggestions.

Vlad

Vlad,

The line that is giving the error is:

access-list 100 deny tcp any any eq www

I've looked at the documentation for the limitation you are up against and have done some testing on a 2950 that I have and may have a solution for you.

If you are trying to restrict access to the Internet from the devices connected to the ports you are trying to apply the filter to, you can change the filter to allow communication to your subnets only and deny everything else. That ACL will look like:

access-list 100 permit ip any 192.168.10.0 0.0.0.255

access-list 100 permit ip any 192.168.11.0 0.0.0.255

access-list 100 deny ip any any

This will allow traffic to the example subnets 192.168.10.0/24 and 192.168.11.0/24. The final line is not required as it is implied and will deny all other IP traffic to any other IP address.

If you goal is to limit web traffic only, the only option that looks like it will work is to perform the filtering on a router or a firewall.

If I can help further, please let me know.

Steve

Thanks everyone for pitching in, everyone's answers have been very informative. Sounds like I need to stick to the router.

Vlad

Review Cisco Networking for a $25 gift card