cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
0
Helpful
7
Replies

Help me switch security

ccnamonsun
Level 1
Level 1

In our campus we have a network of 192.168.2.0 with cisco switch 2950.

A segment called seg-1 is pulgged into switch port - 8(total 5 segments),

& our proxy server is plugged into port 3. now what i want is that i want ,

to restrict seg1 computers to access web taffic from that proxy server but

allow other traffic to flow unintruppet.

How & where can i implement ACL to achive such result ?

How to implement security of switch port to access or restrich different

kind of traffic

Give me solution.

7 Replies 7

marinos_g
Level 1
Level 1

In the following example web server has IP address 1.1.1.1.

Use your actual IP address.

!

interface FastEthernet0/8

description *** Connection to Segment 1 ***

no ip address

ip access-group 100 in

!

access-list 100 deny tcp any host 1.1.1.1 eq www

access-list 100 permit ip any any

!

This way all computers connected to switch port 0/8 will not be able to access web server 1.1.1.1 but they will be able to access anything else.

If you need specific computers connected to port 0/8 to be restricted, you'll need to change the access-list. You can use IP addresses in your access-list to perform per user or per subnet denial.

Please let me know more details to help you.

Regards

Marinos

Dear,

switch software :-Version 12.1(13)EA1

I am using 192.168.2.0 network in my whole campus.

1.As i explained u seg1(10 computers) connected to switch port 8 & proxy server is connected at port no 3.Now i want to restrict some seg1 's computer to access internet(web)only not other. how to achive that ?

2. I created an access list u shown me in answer but when i apply it on port 8 there is no such command as (ip access-list group 110) what i do. how can i enable that command on physical interface port 8.

Give me deatils i am novice.

plz. help me soon.

Please note that the command to apply the access-list on the interface is not ip access-list group but ip access-group

I can write to you the exact configuration you need, but I must know the following information:

1) What is the IP address of your web server?

2) What are the IP addresses of the PCs that will not access web service?

Assuming the following,

(192.168.2.10 -> web server)

(192.168.2.55 -> PC with no access to web server)

(192.168.2.58 -> PC with no access to web server)

(192.168.2.59 -> PC with no access to web server)

the configuration will be like this:

!

interface FastEthernet0/8

description *** Connection to Segment 1 ***

no ip address

ip access-group 100 in

!

access-list 100 deny tcp host 192.168.2.55 host 192.168.2.10 eq www

access-list 100 deny tcp host 192.168.2.58 host 192.168.2.10 eq www

access-list 100 deny tcp host 192.168.2.59 host 192.168.2.10 eq www

access-list 100 permit ip any any

!

Please let me know the exact IP address you are using to write the exact configuration to use.

Regards

Marinos

Web server add :-192.168.2.1

Deny host are:-

192.168.2.4

192.168.2.5

192.168.2.8

192.168.2.10

I created that access list as u told me but,

How i apply it on port fa/8 clarify plz. since there is no command or option avilable as (ip access-group 100 in )

output (interface fa0/8):-

ITS2950(config-if)#ip ?

Interface IP configuration subcommands:

address Set the IP address of an interface

igmp IGMP interface commands

Now where how i appliy that. tell me soon

Regard

You are correct

a 2950 switch does not have the ip access-group command, but a 2950T does.

What you can do is create a VLAN interface and apply the access-list in the VLAN interface.

!

interface FastEthernet0/8

description *** Connection to Segment 1 ***

no ip address

switchport access vlan 2

!

interface vlan 2

ip access-group 100 in

!

access-list 100 deny tcp host 192.168.2.4 host 192.168.2.1 eq www

access-list 100 deny tcp host 192.168.2.5 host 192.168.2.1 eq www

access-list 100 deny tcp host 192.168.2.8 host 192.168.2.1 eq www

access-list 100 deny tcp host 192.168.2.10 host 192.168.2.1 eq www

access-list 100 permit ip any any

!

Try this and tell me if it worked

Marinos

That's right but problem is that my all ports 1-24 are part of default vlan 1,

if i create another vlan then how i would be able to communicate with another (vlan1)

can i assign that access-list at vlan 1 itself. would it work ? since all ther ports r member of vlan 1

Yes, you can try this as well.

I'm not sure if it will work but it's worth a try.

Let me know how it will turn out.

Review Cisco Networking for a $25 gift card