Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2539
Views
0
Helpful
3
Replies

ACL's on trunk ports?

tiwang
Level 3
Level 3

‎01-13-2012 02:59 AM - edited ‎03-07-2019 04:20 AM

hi out there

I have been looking a bit on PACL and VACL but I am not sure I am looking at the right technology here. I was trying to figure out if I could apply a ACL so that I only permit a specific protocol to be trunc'et through a trunc between two interfaces. It is a pvlan interface which is only used for net-backup so I would like to ensure that we only have these protocols flowing between the switches. I have a nexus 5020 in the one end and a CAT3750 in the other - can I ensure this through some sort of ACL applied to a trunk interface?

best regards /ti

Labels:
0 Helpful
3 Replies 3

JohnTylerPearce
Level 7
Level 7

‎01-13-2012 04:45 AM

Well ACLs are typically used on [Inbound|Outbound] parts of interface vlans or interfaces with ip addresses associated with them. I know that you can use a VACL for permit and or deny specific protocols from the same vlan, since you can't use a regular ACL to create this. Is there a backup server that is responsible for backing up certain systems, and are all the other systmes on the same vlan or different vlans?

0 Helpful

tiwang
Level 3
Level 3
In response to JohnTylerPearce

‎01-13-2012 04:57 AM

hi again

the backup-server is assigned to the host-port (pvlan 550) on the pvlan on another switch (in fact 2-3 switches away) - so to stop traffic from flowing into the traffic-path as close as possibly to the originating system I would see if I could apply a acl only permitting the needed protocols on the trunk interconnecting this switch with the rest - try to see the sketch here below:

client >---------------->switch #1 >--------------------->switch #2 >--------------> switch #3 -------------> backupserver

client (isolated pvlan 551->primary pvlan 550) -> pvlan trunk (is this needed to be defined as pvlan trunk?)

-> ordinary trunk sw2------> ordinary trunk sw3 --------> prim. pvlan 550 host port --> backupserver

best regards /ti

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to tiwang

‎01-13-2012 08:27 AM

What kind of PVLAN if your backup server on? Is it on a community port, isolated port, or promiscous port? I'm

assumimng you have a promiscous port configured. You could just create an extended access-list specifying the port that you need.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1039754

This link may help you out.

I forgot about PACLs, LOL. Been so long since I've configured one of those.

Sounds like, you should be able to configure a PACL, apply it ot the trunk interface on your switch inbound, and

you should be good to go. Of course pay attention to the PACL so you don't block anything you want going out.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card