Can you explain how to create ACL on the switch that has the SVI for the clients with example or any web link which explain this.

Can you be more specific about what you are trying to do ?

I can guess that you have a client attached to a port on a switch and you only want this client to be able to go to one web site using http/https.

But that is just a guess.

If that is right then you can either -

1) use an acl on the port as you have done although your acl is wrong

or

2) use an acl on the SVI for the vlan that client is in as Collin suggests.

Either would work.

However we need more details. For example if the client uses DHCP then you need to allow that as well otherwise it won't get an IP address.

If you don't tell us exactly what you are trying to do we cannot help you.

Jon

hi 

this is the detail of my query, will help you to understand the scenario 

I have two switches   (IP 10.110.96.3, 10.110.96.4) which are located in a LAB and we want to conduct exam during the exam we required only one website e.g (http://www.engro.com/) permit and everything block\deny. All client get IP from the DHCP server and we have a specific VLAN for Labs. 

Now suggest what will be the best way for me 

Sorry but it's still not clear.

Is the DHCP server in the client vlan.

Is it for all clients you want to only allow traffic to that one web site.

Where are the SVIs for the vlan(s) ie. an SVI is the "interface vlan x" on a L3 switch.

Or are the vlans routed on a router.

Where is the internet connection.

All of the above is needed to tell you how to fix your problem.

By the way with acls you will be blocking on the web site IP address, do you have that ?

Jon

No, the DHCP server(99 vlan) is not in client VLAN(96 vlan), client has own separate Vlan

We have lab VLAN also seperate and have 8 switches in labs but I want to allow one website traffic only on 2 switches that's why i am trying to configure a ACL on only two switches.

Vlans are routed on the L3 switch

please the configuration of access level switch, it will help to understand

!
! Last configuration change at 17:30:56 PST Thu Nov 22 2012
! NVRAM config last updated at 19:48:13 PST Thu Nov 22 2012
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname 4th_Floor_Sw
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$BZ8k$lfbY6ShaBWU/FYayZ4AEx0
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line
aaa authentication enable default none
!
!
!
aaa session-id common
clock timezone PST 5
system mtu routing 1500
ip subnet-zero
!
!
ip dhcp snooping vlan 1,101-113
no ip dhcp snooping information option
ip dhcp snooping database flash:/snoopdb.inf
ip dhcp snooping
ip arp inspection vlan 1,101-113
!
!
crypto pki trustpoint TP-self-signed-2011667456
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2011667456
 revocation-check none
 rsakeypair TP-self-signed-2011667456
!
!
!
!
macro global description cisco-global
!
!
!
errdisable recovery cause link-flap
errdisable recovery cause arp-inspection
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 description IP Camera
 switchport access vlan 107
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!
interface FastEthernet0/2
 switchport access vlan 103
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!
interface FastEthernet0/3
 switchport access vlan 101
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!
interface FastEthernet0/4
 switchport access vlan 101
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!
interface FastEthernet0/5
 switchport access vlan 105
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!

!

!

!

!!
!
!!
interface FastEthernet0/45
 switchport access vlan 103
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
 ip verify source
!
interface FastEthernet0/46
 description IP Camera
 switchport access vlan 107
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection trust
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
!
interface FastEthernet0/47
 description Lenel Controller
 switchport access vlan 107
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection trust
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
!
interface FastEthernet0/48
 description IP_Camera
 switchport access vlan 107
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection trust
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
 switchport mode trunk
 ip arp inspection trust
 macro description cisco-switch
 ip dhcp snooping trust
!
interface GigabitEthernet0/2
 switchport mode trunk
 ip arp inspection trust
 macro description cisco-switch
 ip dhcp snooping trust
!
interface GigabitEthernet0/3
 switchport mode trunk
 ip arp inspection trust
 macro description cisco-switch
 ip dhcp snooping trust
!
interface GigabitEthernet0/4
 switchport mode trunk
 ip arp inspection trust
 macro description cisco-switch
 ip dhcp snooping trust
!
interface Vlan1
 ip address 10.110.120.10 255.255.248.0
 no ip route-cache
!
ip default-gateway 10.110.120.1
ip http server
ip http secure-server
ip tacacs source-interface Vlan1
access-list 99 permit 10.101.88.80
access-list 99 permit 10.101.88.90
access-list 99 permit 10.99.0.217
access-list 99 permit 10.99.0.218
access-list 99 permit 10.200.100.0 0.0.0.255
access-list 99 permit 10.110.0.0 0.0.255.255
access-list 99 deny   any log
snmp-server community lums_3560_SNMP RO
snmp-server location SDSB_Building
snmp-server contact Network Administrator
tacacs-server host 10.99.0.182 key 7 113D180636071F044A7B7974
tacacs-server directed-request
!
control-plane
!
!
line con 0
 password 7 107A0C153A24051F2C577F7D7466626772
line vty 0 4
 access-class 99 in
 password 7 03305E07393C36586E5A4C53475C5A5E54
line vty 5 15
 password 7 073B2440713A0E1137415E5A54647A7678
!
ntp authentication-key 100 md5 070334415D2A150A1419 7
ntp authenticate
ntp trusted-key 100
ntp clock-period 36028932
ntp server 172.25.150.1
end
 

Okay thanks for that..

So one last question.

Is it for all clients in vlan 96 that you want to apply the acl  ?

Jon

yes all clients are in vlan 96

Add this configuration to your L3 switch ie. the one with "int vlan 96" on it.

access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 permit tcp any host x.x.x.x eq http  <-- where x.x.x.x is the web site IP
access-list 101 permit tcp any host x.x.x.x eq https
access-list 101 deny ip any any 

int vlan 96 <-- on L3 switch
ip access-group 101 in

Things to note -

1) the first line is for DHCP. Some people have reported issues with it working so if it doesn't let me know and I can provide an alternative

2) you need "any" in the first line because the client doesn't have an IP yet..

For the other lines I have used "any" because I don't know what the IP subnet of vlan 96 is. If you want to you can replace the "any" with the IP subnet and wildcard mask but only for line 2 ,3 & 4.

3) this will apply to all clients in vlan 96. If you only want it for some clients then you need to apply acl at the port level and not on the SVI.

Jon

thanks for helping but i have some confusion kindly clear it

First of all I do not want to apply acl in whole VLAN 96 

Secondly I  have distribution switch(Layer 3) its IP is 10.110.96.1 255.255.255.240

and clients are connected to layer 2 switch its IP 10.110.96.2 255.225.225.240 ,& 10.110.96.3 255.225.225.240 and I want to allow host 98.129.229.186 (http: website) 

layer 2 switches are connected at the layer 3 switch interface 5,6 

kindly write the ACL according to this scenario 

Can you answer this question.

Are you trying to stop some clients from accessing anything other than that web server ?

If yes then I have already told you what to do in my last post, you just need to read it again (see point 3).

If no, then please explain very clearly exactly what you are trying to do.

Jon

Thanks for help my issue resolved with this acl

    10 permit ip any host 110.93.218.154

    15 permit ip any host 98.129.229.186 log

    20 permit ip any host 10.99.0.1

    30 permit ip any host 10.99.0.17

    40 permit ip any host 10.99.0.155

    45 permit ip any host 10.99.0.157

    50 permit ip any host 10.99.0.169

    60 permit ip any 10.101.88.0 0.0.0.15

    70 permit ip any host 10.101.88.1

    80 deny ip any any (76 matches)

Hi,

How can I  do  that the below ACL automatically work according to given schedule which is every "Friday from 8:00 am too 11:00 am till 4 month" while the time-range is not working.

someone asked me it possible through CACTI backup tool? If this is possible then how?

 10 permit ip any host 110.93.218.154

    15 permit ip any host 98.129.229.186 log

    20 permit ip any host 10.99.0.1

    30 permit ip any host 10.99.0.17

    40 permit ip any host 10.99.0.155

    45 permit ip any host 10.99.0.157

    50 permit ip any host 10.99.0.169

    60 permit ip any 10.101.88.0 0.0.0.15

    70 permit ip any host 10.101.88.1

    80 deny ip any any (76 matches)