04-16-2014 07:15 AM - edited 03-07-2019 07:07 PM
Hi Folks,
I've been out of the networking world for a few years and am slowly getting back into it.One thing that is currently causing me a slight bit of grief is a set of access-lists I'm trying to apply.
When planning this I never gave it a second thought as I had configured these a long time ago and never posed any complication. I know I'm gonna kick myself as it has to be something very simple.
basically here is an example of my basic requirements
I have 2 computers connected on the one switch I want to prevent either computer from connecting to the other on all protocols, these computers must be able to connect to other resources on the LAN.
I had tried adding specific IP and MAC global access lists
Extended IP access list IP_BLOCK_1
10 deny tcp host 123.123.123.2 host 123.123.123.3
20 deny tcp host 123.123.123.3 host 123.123.123.2
30 deny udp host 123.123.123.3 host 123.123.123.2
40 deny udp host 123.123.123.2 host 123.123.123.3
Extended MAC access list MAC_BLOCK_1
deny host 12ab.12cd.12ef host 13ab.13cd.13ef
deny host 13ab.13cd.13ef host 12ab.12cd.12ef
All interfaces are on Vlan 2 and VLan 2 has been given an IP address of 123.123.123.6
I have tried deny any any but both computers are still able ot connect, someone please put me out of my misery :-)
Switch model
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 50 WS-C2960-48TC-S 12.2(55)SE5 C2960-LANLITEK9-M
Do I need to enable anything to allow ACL's to be active? I didn't think there were prerequisets for gobal ACL's but as it's been so long.........
thanks for your time
Solved! Go to Solution.
04-16-2014 11:28 AM
Hi ciaranmurphy1,
If they are connected to the same switch, you can configure switchport protected, take a look at the link below.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863
It looks similar to private VLANs isolated ports, but it is simpler to configure and it works only within the same switch.
04-16-2014 11:28 AM
Hi ciaranmurphy1,
If they are connected to the same switch, you can configure switchport protected, take a look at the link below.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863
It looks similar to private VLANs isolated ports, but it is simpler to configure and it works only within the same switch.
04-17-2014 01:07 PM
well it official, I am the worlds biggest wally.
the issue was that the packets from both computers weren't traversing this switch after all. Both computers are actually servers with multiple NICs. I thought I had the LAN routing set up correctly on the servers but I did not. So the connection was going over a different link that was on another NIC on the servers. Should have seen this way sooner, sorry for wasting you time.
btw the port blocking is working perfectly thank you for that recommendation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide