01-10-2005 01:53 AM - edited 03-05-2019 11:23 AM
In our campus we have a network of 192.168.2.0 with cisco switch 2950.
A segment called seg-1 is pulgged into switch port - 8(total 5 segments),
& our proxy server is plugged into port 3. now what i want is that i want ,
to restrict seg1 computers to access web taffic from that proxy server but
allow other traffic to flow unintruppet.
How & where can i implement ACL to achive such result ?
How to implement security of switch port to access or restrich different
kind of traffic
Give me solution.
01-11-2005 12:16 AM
In the following example web server has IP address 1.1.1.1.
Use your actual IP address.
!
interface FastEthernet0/8
description *** Connection to Segment 1 ***
no ip address
ip access-group 100 in
!
access-list 100 deny tcp any host 1.1.1.1 eq www
access-list 100 permit ip any any
!
This way all computers connected to switch port 0/8 will not be able to access web server 1.1.1.1 but they will be able to access anything else.
If you need specific computers connected to port 0/8 to be restricted, you'll need to change the access-list. You can use IP addresses in your access-list to perform per user or per subnet denial.
Please let me know more details to help you.
Regards
Marinos
01-11-2005 11:52 PM
Dear,
switch software :-Version 12.1(13)EA1
I am using 192.168.2.0 network in my whole campus.
1.As i explained u seg1(10 computers) connected to switch port 8 & proxy server is connected at port no 3.Now i want to restrict some seg1 's computer to access internet(web)only not other. how to achive that ?
2. I created an access list u shown me in answer but when i apply it on port 8 there is no such command as (ip access-list group 110) what i do. how can i enable that command on physical interface port 8.
Give me deatils i am novice.
plz. help me soon.
01-12-2005 12:08 AM
Please note that the command to apply the access-list on the interface is not ip access-list group but ip access-group
I can write to you the exact configuration you need, but I must know the following information:
1) What is the IP address of your web server?
2) What are the IP addresses of the PCs that will not access web service?
Assuming the following,
(192.168.2.10 -> web server)
(192.168.2.55 -> PC with no access to web server)
(192.168.2.58 -> PC with no access to web server)
(192.168.2.59 -> PC with no access to web server)
the configuration will be like this:
!
interface FastEthernet0/8
description *** Connection to Segment 1 ***
no ip address
ip access-group 100 in
!
access-list 100 deny tcp host 192.168.2.55 host 192.168.2.10 eq www
access-list 100 deny tcp host 192.168.2.58 host 192.168.2.10 eq www
access-list 100 deny tcp host 192.168.2.59 host 192.168.2.10 eq www
access-list 100 permit ip any any
!
Please let me know the exact IP address you are using to write the exact configuration to use.
Regards
Marinos
01-12-2005 12:27 AM
Web server add :-192.168.2.1
Deny host are:-
192.168.2.4
192.168.2.5
192.168.2.8
192.168.2.10
I created that access list as u told me but,
How i apply it on port fa/8 clarify plz. since there is no command or option avilable as (ip access-group 100 in )
output (interface fa0/8):-
ITS2950(config-if)#ip ?
Interface IP configuration subcommands:
address Set the IP address of an interface
igmp IGMP interface commands
Now where how i appliy that. tell me soon
Regard
01-12-2005 01:24 AM
You are correct
a 2950 switch does not have the ip access-group command, but a 2950T does.
What you can do is create a VLAN interface and apply the access-list in the VLAN interface.
!
interface FastEthernet0/8
description *** Connection to Segment 1 ***
no ip address
switchport access vlan 2
!
interface vlan 2
ip access-group 100 in
!
access-list 100 deny tcp host 192.168.2.4 host 192.168.2.1 eq www
access-list 100 deny tcp host 192.168.2.5 host 192.168.2.1 eq www
access-list 100 deny tcp host 192.168.2.8 host 192.168.2.1 eq www
access-list 100 deny tcp host 192.168.2.10 host 192.168.2.1 eq www
access-list 100 permit ip any any
!
Try this and tell me if it worked
Marinos
01-12-2005 03:21 AM
That's right but problem is that my all ports 1-24 are part of default vlan 1,
if i create another vlan then how i would be able to communicate with another (vlan1)
can i assign that access-list at vlan 1 itself. would it work ? since all ther ports r member of vlan 1
01-12-2005 03:46 AM
Yes, you can try this as well.
I'm not sure if it will work but it's worth a try.
Let me know how it will turn out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide