01-23-2015 09:46 AM - edited 03-07-2019 10:21 PM
I have 3560 switch and want to configure the standard ACL to permit a host and deny every thing
I used these commands but could not get require result
access-list 15 permit host X.X.X.X
access-list 15 deny any
Apply to interface fastethernet
ip access-group 15 in
this acl does not work. I required only one website traffic permit and everything deny.Please help me how can i permit only one website.
01-23-2015 10:20 AM
This would only effect traffic sourcing from the switch, not the clients connected to it. Create the ACL on the switch that has the SVI for the clients.
01-24-2015 04:32 AM
Can you explain how to create ACL on the switch that has the SVI for the clients with example or any web link which explain this.
01-24-2015 05:29 AM
Can you be more specific about what you are trying to do ?
I can guess that you have a client attached to a port on a switch and you only want this client to be able to go to one web site using http/https.
But that is just a guess.
If that is right then you can either -
1) use an acl on the port as you have done although your acl is wrong
or
2) use an acl on the SVI for the vlan that client is in as Collin suggests.
Either would work.
However we need more details. For example if the client uses DHCP then you need to allow that as well otherwise it won't get an IP address.
If you don't tell us exactly what you are trying to do we cannot help you.
Jon
01-24-2015 06:07 AM
hi
this is the detail of my query, will help you to understand the scenario
I have two switches (IP 10.110.96.3, 10.110.96.4) which are located in a LAB and we want to conduct exam during the exam we required only one website e.g (http://www.engro.com/) permit and everything block\deny. All client get IP from the DHCP server and we have a specific VLAN for Labs.
Now suggest what will be the best way for me
01-24-2015 06:35 AM
Sorry but it's still not clear.
Is the DHCP server in the client vlan.
Is it for all clients you want to only allow traffic to that one web site.
Where are the SVIs for the vlan(s) ie. an SVI is the "interface vlan x" on a L3 switch.
Or are the vlans routed on a router.
Where is the internet connection.
All of the above is needed to tell you how to fix your problem.
By the way with acls you will be blocking on the web site IP address, do you have that ?
Jon
01-24-2015 07:25 AM
No, the DHCP server(99 vlan) is not in client VLAN(96 vlan), client has own separate Vlan
We have lab VLAN also seperate and have 8 switches in labs but I want to allow one website traffic only on 2 switches that's why i am trying to configure a ACL on only two switches.
Vlans are routed on the L3 switch
please the configuration of access level switch, it will help to understand
!
! Last configuration change at 17:30:56 PST Thu Nov 22 2012
! NVRAM config last updated at 19:48:13 PST Thu Nov 22 2012
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname 4th_Floor_Sw
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$BZ8k$lfbY6ShaBWU/FYayZ4AEx0
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line
aaa authentication enable default none
!
!
!
aaa session-id common
clock timezone PST 5
system mtu routing 1500
ip subnet-zero
!
!
ip dhcp snooping vlan 1,101-113
no ip dhcp snooping information option
ip dhcp snooping database flash:/snoopdb.inf
ip dhcp snooping
ip arp inspection vlan 1,101-113
!
!
crypto pki trustpoint TP-self-signed-2011667456
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2011667456
revocation-check none
rsakeypair TP-self-signed-2011667456
!
!
!
!
macro global description cisco-global
!
!
!
errdisable recovery cause link-flap
errdisable recovery cause arp-inspection
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description IP Camera
switchport access vlan 107
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
interface FastEthernet0/2
switchport access vlan 103
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
interface FastEthernet0/3
switchport access vlan 101
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
interface FastEthernet0/4
switchport access vlan 101
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
interface FastEthernet0/5
switchport access vlan 105
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
!
!
!
!!
!
!!
interface FastEthernet0/45
switchport access vlan 103
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
ip verify source
!
interface FastEthernet0/46
description IP Camera
switchport access vlan 107
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection trust
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
!
interface FastEthernet0/47
description Lenel Controller
switchport access vlan 107
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection trust
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
!
interface FastEthernet0/48
description IP_Camera
switchport access vlan 107
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection trust
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
switchport mode trunk
ip arp inspection trust
macro description cisco-switch
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode trunk
ip arp inspection trust
macro description cisco-switch
ip dhcp snooping trust
!
interface GigabitEthernet0/3
switchport mode trunk
ip arp inspection trust
macro description cisco-switch
ip dhcp snooping trust
!
interface GigabitEthernet0/4
switchport mode trunk
ip arp inspection trust
macro description cisco-switch
ip dhcp snooping trust
!
interface Vlan1
ip address 10.110.120.10 255.255.248.0
no ip route-cache
!
ip default-gateway 10.110.120.1
ip http server
ip http secure-server
ip tacacs source-interface Vlan1
access-list 99 permit 10.101.88.80
access-list 99 permit 10.101.88.90
access-list 99 permit 10.99.0.217
access-list 99 permit 10.99.0.218
access-list 99 permit 10.200.100.0 0.0.0.255
access-list 99 permit 10.110.0.0 0.0.255.255
access-list 99 deny any log
snmp-server community lums_3560_SNMP RO
snmp-server location SDSB_Building
snmp-server contact Network Administrator
tacacs-server host 10.99.0.182 key 7 113D180636071F044A7B7974
tacacs-server directed-request
!
control-plane
!
!
line con 0
password 7 107A0C153A24051F2C577F7D7466626772
line vty 0 4
access-class 99 in
password 7 03305E07393C36586E5A4C53475C5A5E54
line vty 5 15
password 7 073B2440713A0E1137415E5A54647A7678
!
ntp authentication-key 100 md5 070334415D2A150A1419 7
ntp authenticate
ntp trusted-key 100
ntp clock-period 36028932
ntp server 172.25.150.1
end
01-24-2015 07:25 AM
Okay thanks for that..
So one last question.
Is it for all clients in vlan 96 that you want to apply the acl ?
Jon
01-24-2015 07:31 AM
yes all clients are in vlan 96
01-24-2015 07:53 AM
Add this configuration to your L3 switch ie. the one with "int vlan 96" on it.
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 permit tcp any host x.x.x.x eq http <-- where x.x.x.x is the web site IP
access-list 101 permit tcp any host x.x.x.x eq https
access-list 101 deny ip any any
int vlan 96 <-- on L3 switch
ip access-group 101 in
Things to note -
1) the first line is for DHCP. Some people have reported issues with it working so if it doesn't let me know and I can provide an alternative
2) you need "any" in the first line because the client doesn't have an IP yet..
For the other lines I have used "any" because I don't know what the IP subnet of vlan 96 is. If you want to you can replace the "any" with the IP subnet and wildcard mask but only for line 2 ,3 & 4.
3) this will apply to all clients in vlan 96. If you only want it for some clients then you need to apply acl at the port level and not on the SVI.
Jon
01-24-2015 08:33 AM
thanks for helping but i have some confusion kindly clear it
First of all I do not want to apply acl in whole VLAN 96
Secondly I have distribution switch(Layer 3) its IP is 10.110.96.1 255.255.255.240
and clients are connected to layer 2 switch its IP 10.110.96.2 255.225.225.240 ,& 10.110.96.3 255.225.225.240 and I want to allow host 98.129.229.186 (http: website)
layer 2 switches are connected at the layer 3 switch interface 5,6
kindly write the ACL according to this scenario
01-24-2015 12:11 PM
Can you answer this question.
Are you trying to stop some clients from accessing anything other than that web server ?
If yes then I have already told you what to do in my last post, you just need to read it again (see point 3).
If no, then please explain very clearly exactly what you are trying to do.
Jon
02-03-2015 09:07 AM
Thanks for help my issue resolved with this acl
10 permit ip any host 110.93.218.154
15 permit ip any host 98.129.229.186 log
20 permit ip any host 10.99.0.1
30 permit ip any host 10.99.0.17
40 permit ip any host 10.99.0.155
45 permit ip any host 10.99.0.157
50 permit ip any host 10.99.0.169
60 permit ip any 10.101.88.0 0.0.0.15
70 permit ip any host 10.101.88.1
80 deny ip any any (76 matches)
02-16-2015 03:26 AM
Hi,
How can I do that the below ACL automatically work according to given schedule which is every "Friday from 8:00 am too 11:00 am till 4 month" while the time-range is not working.
someone asked me it possible through CACTI backup tool? If this is possible then how?
10 permit ip any host 110.93.218.154
15 permit ip any host 98.129.229.186 log
20 permit ip any host 10.99.0.1
30 permit ip any host 10.99.0.17
40 permit ip any host 10.99.0.155
45 permit ip any host 10.99.0.157
50 permit ip any host 10.99.0.169
60 permit ip any 10.101.88.0 0.0.0.15
70 permit ip any host 10.101.88.1
80 deny ip any any (76 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide