Solved: Cisco 4500 ACL question

Jay Cambell · ‎05-26-2017

I have a cisco 4500 series switch. I'm trying to figure out the best way to create an ACL. I have 5 users on the same vlan as 100 users. We are using DHCP on the network. I need to allow the 5 users access to 2 servers and block everyone else. Is there a way to configure the ACL without statically assign ip addresses to the 5 users? Can someone please send an example?

Julio E. Moisa · ‎05-26-2017

Hi

Are you configuring the DHCP on the 4500 or it is on a standalone Window server? You could make a dhcp reservation for each specific computer, so the IP always be assigned to the specific mac address.

If the dhcp is configured on the Cisco devices, check this link:

https://community.spiceworks.com/topic/106799-how-to-create-reservations-in-cisco-dhcp-server

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-26-2017

Ok, thank you, so you can make a dhcp reservation for the mac address of each computer. So the IP will never change for those computers.

http://www.tutorialspoint.com/articles/setting-dhcp-reservations-in-windows-server-2008-r2

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Philip D'Ath · ‎05-26-2017

What not fix their IP address in DHCP?

Jay Cambell · ‎05-26-2017

If I create a reservation what should I do next?

Jay Cambell · ‎05-26-2017

How would create the ACL on the cisco 4500 switch?

Julio E. Moisa · ‎05-26-2017

You can configure the ACL under the SVI, example:

ip access-list extended OUTBOUND
deny ip host 192.168.1.5 host <Server IP>
deny ip host 192.168.1.6 host <Server IP>
deny ip host 192.168.1.7 host <Server IP>
deny ip host 192.168.1.8 host <Server IP>
deny ip host 192.168.1.9 host <Server IP>
permit ip any any

interface vlan 10
ip address 192.168.1.1 255.255.255.0
ip helper-address <dhcp server IP>
ip access-group OUTBOUND out

In order to see the matches you can execute:

show access-list

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jay Cambell · ‎05-26-2017

I have 5 users on the same vlan as 100 users. I need to allow the 5 users access to 2 servers and block everyone else.

Julio E. Moisa · ‎05-26-2017

I got it, it should be:

ip access-list extended OUTBOUND
permit ip host 192.168.1.5 host <Server IP 1>
permit ip host 192.168.1.6 host <Server IP 1>
permit ip host 192.168.1.7 host <Server IP 1>
permit ip host 192.168.1.8 host <Server IP 1>
permit ip host 192.168.1.9 host <Server IP 1>
permit ip host 192.168.1.5 host <Server IP 2>
permit ip host 192.168.1.6 host <Server IP 2>
permit ip host 192.168.1.7 host <Server IP 2>
permit ip host 192.168.1.8 host <Server IP 2>
permit ip host 192.168.1.9 host <Server IP 2>
deny ip any host <Server IP 1>
deny ip any host <Server IP 2>
permit ip any any

interface vlan 100
ip address 192.168.1.1 255.255.255.0
ip helper-address <dhcp server IP>
ip access-group OUTBOUND out

*On switches like 6500 you can use object-groups to group specific destinations or sources in order to decrease the ACL lines. Try this config on the 4500

object-group network 5-HOSTS
host 192.168.1.6
host 192.168.1.5
host 192.168.1.7
host 192.168.1.8
host 192.168.1.9

object-group network SERVERS
host 10.10.10.100
host 10.10.10.101

ip access-list extended OUTBOUND
permit ip object-group 5-HOSTS object-group SERVERS
deny ip any object-group SERVERS
permit ip any any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jay Cambell · ‎05-27-2017

Ok. Thank you. Why do you use the out statement at the end of ACL ? ip access-group OUTBOUND out

Julio E. Moisa · ‎05-27-2017

Hi Jay,

You are welcome,

It is related to the ACL, imagine: the incoming traffic to the router is (In), now if the traffic is originated into the router or behind the router to outside (Out), the sintaxis of the extended named ACL is:

ip access-list extended <ACL name>
permit/deny <protocol> <source host or network> <wildcard> <source port> <destination host or network> <wildcard> <destination port or range of ports>

The sintaxis will never change, you need to identify if the traffic is inbound (in) or outbound (out) through a interface.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎05-26-2017

Hi

Are you configuring the DHCP on the 4500 or it is on a standalone Window server? You could make a dhcp reservation for each specific computer, so the IP always be assigned to the specific mac address.

If the dhcp is configured on the Cisco devices, check this link:

https://community.spiceworks.com/topic/106799-how-to-create-reservations-in-cisco-dhcp-server

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jay Cambell · ‎05-26-2017

There is a dhcp windows server on the network.

Julio E. Moisa · ‎05-26-2017

Ok, thank you, so you can make a dhcp reservation for the mac address of each computer. So the IP will never change for those computers.

http://www.tutorialspoint.com/articles/setting-dhcp-reservations-in-windows-server-2008-r2

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<