04-17-2014 12:00 PM - edited 03-07-2019 07:08 PM
Hi guys,
I'm a Cisco noob so please forgive me if I'm asking stupid questions :)
I have a Cisco Catalyst 3560 in my lab and it's currently a single VLAN set up with all 48 interfaces in it. The switch receives static IPs from the router and as far as I understand is not doing any routing by itself. I'd like to run my own tftp server available only to the servers on this switch (for network boot).
So what I probably need this switch to run is some kind of an internal network i.e. 10.10.2.0 so I'd be able to reach the servers on this switch both via an external IP xxx.xxx.xxx.xxx and an internal one say 10.10.2.3 during the PXE boot.
So how should it be done and is it possible at all?
I hope I'm making myself clear and you got the idea. Please ask if you don't. :)
BR,
Paul
Solved! Go to Solution.
04-17-2014 01:25 PM
What i understood is that you are running some servers on the switch and these servers are accessed by some external users
and you want that external user should only be able to use these server but no the TFTP server that you are running, this TFTP server should only be accessible by the servers on the switch.
If that what you are asking then you can use port ACL on the switch port where the TFTP server is running.These port ACL can be applied on the switch layer two interface and applied on in inbound direction.
04-17-2014 02:22 PM
Hi bighhostlv,
If you use port ACL it will work only for the particular interface but if you user VLAN ACL then only it will apply for all port in that VLAN .
Rate helpful posts
04-17-2014 01:25 PM
What i understood is that you are running some servers on the switch and these servers are accessed by some external users
and you want that external user should only be able to use these server but no the TFTP server that you are running, this TFTP server should only be accessible by the servers on the switch.
If that what you are asking then you can use port ACL on the switch port where the TFTP server is running.These port ACL can be applied on the switch layer two interface and applied on in inbound direction.
04-17-2014 01:44 PM
Ok, that's pretty close. I've tried this ACL thing before and the issue with me is that it applies the rules to the whole VLAN not the interface I need. I'm using Cisco Network Assistant perhaps that's the reason.
04-17-2014 02:22 PM
Hi bighhostlv,
If you use port ACL it will work only for the particular interface but if you user VLAN ACL then only it will apply for all port in that VLAN .
Rate helpful posts
04-17-2014 11:20 PM
For example, if I start the security wizard and choose a single interface (FastEthernet6 in this case) to block port 25 on I get this config:
Restricting Applications.
Creating ACL SecWiz_Fa0_6_in_ip based on provided criteria
Creating VLAN Map SecWiz_Vlan1
Applying VLAN Map
Applying VLAN Map SecWiz_Vlan1 to Vlan1
and when I click on Show CLI sequence:
Cisco1(config)# no vlan access-map SecWiz_Vlan1 10
Cisco1(config)# no ip access-list Extended SecWiz_Fa0_6_in_ip
Cisco1(config)# ip access-list extended SecWiz_Fa0_6_in_ip
Cisco1(config-ext-nacl)# deny tcp any any eq 25
Cisco1(config-ext-nacl)# permit ip any any
Cisco1(config-ext-nacl)# exit
Cisco1(config)# vlan access-map SecWiz_Vlan1
Cisco1(config-access-map)# 10 match ip address SecWiz_Fa0_6_in_ip
Cisco1(config-access-map)# 10 action forward
Cisco1(config-access-map)# exit
Cisco1(config)# vlan filter SecWiz_Vlan1 vlan-list 1
after I apply the changes port 25 gets blocked on the entire switch. I believe it will be the same for what I'm trying to do now.
04-18-2014 04:10 AM
suppose following is the topolog
now you create a ACL to allow only R2 to take telnet of R1 and block R3 to take the telnet of R1 similiarly you can do it for TFTP UDP port No 69
All device are in same VLAN
SW1(config)#access-list 101 permit tcp host 10.1.1.1 eq 23 host 10.1.1.2
SW1(config)#access-list 101 deny tcp host 10.1.1.1 eq 23 any
SW1(config)#access-list 101 permit ip any any
SW1(config)#int fa0/1
SW1(config)#ip access-group 101 in
this works and i have check you can use for UDP traffic port no 69 for TFTP
D'not forgot to Rate the Help full posts
04-18-2014 10:18 AM
Ok, thanks a million will try this one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide