Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9246
Views
0
Helpful
8
Replies

How can I Block Traffic on Trunk Port - Pls help.

Dipesh Patel
Level 2
Level 2

‎01-12-2010 06:23 AM - edited ‎03-06-2019 09:15 AM

Dear Experts,

I am attaching snap for your reff.....

I want to block traffic at Trunk between two Distribution.

Only specific Traffic from Backbone I need to allow on 2nd Distribution and below NW. How can I do this pls help.

I need that only

10.0.0.1 to 10.0.0.10 can access 10.0.254.0 segment

10.0.190.50 can access 10.0.254.0 segment

10.0.255.0 segment can access 10.0.254.0 segment

Rest of Traffic can not access  10.0.254.0 segment

I can not apply acl on Dist 2 sw as it is Nortel 1612 Switch.

I want to apply ACL on Dist 1  downlink port.

Please Help .

Dipesh P.

Labels:
Preview file
34 KB
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-12-2010 09:59 AM

Hello Dipesh,

you should be able to apply an extended ACL on the SVI L3 vlan interface of distribution device.

Eventually you may need to apply more different ACLs to different SVIs

ps: I wish you an happy new year!

Hope to help

Giuseppe

0 Helpful

prakadeesh
Level 1
Level 1
In response to Giuseppe Larosa

‎01-13-2010 02:18 AM

Hi guiseppe/dipesh,

              If the dist switch has access to the vlan info ( I mean L2) , wouldnt a Vlan acl on that particular Vlan segment(10.0.254.0), provided it is a separate vlan, also address the issue. to stand corrected.

thanks,

Prakadeesh

0 Helpful

Dipesh Patel
Level 2
Level 2
In response to Giuseppe Larosa

‎01-13-2010 10:31 AM

hi,

Happy New year to you also.

Yes, If I will apply ACL on SVI on Dist 2 than its work but my problem is that Dist 2 is Nortel Sw and can not apply ACL on SVI. So I need to block traffic by applying CL on Trunk port of Dist 1.

E.G.

Dist 1 UPLINK Info:

Gi0/25 --- Uplink trunk from Backbone SW

Gi0/26 --- Downlnk to Dist 2 (Nortel with e.g. 10.0.2.0/24 Segment.)

Now on Nortel SW I can not do anything. So I need to block traffic to reach 10.0.2.0 / 24 segment vlan which is created on Nortel switch.

I had tried one acl and allied on trunk gi0/26 inward direction but there is no effect of it.

ACL :

ip accesslist extended TEST

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.1

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.10

permit ip 10.0.2.0 0.0.0.255 host 10.50.50.115

permit ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255

permit udp any any

Int Gi0/26

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2

switchport trunk native vlan 2

ip  access-group TEST in

but it is not working. There is no effect of it.

Dear all, Pls suggest how can i do it. Is any thing missing in my ACL config?

Pls suggest.

Dipesh P.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Dipesh Patel

‎01-13-2010 12:55 PM

Hello Dipesh,

follow Ganesh's suggestion about port based ACL

Hope to help

Giuseppe

0 Helpful

rdseayjr1
Level 1
Level 1
In response to Dipesh Patel

‎11-29-2016 06:40 PM

I know that this is old, but the issue is likely that you applied the access list in the wrong direction. Most likely would have needed to place the access list on the port accessing the network you want to restrict access from out. 

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-13-2010 02:41 AM

Hi,

For your problem i would suggest you to configure port based ACL in switches.Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.

Processing of the Port ACL is similar to that of the Router ACLs; the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on packet-matching criteria in the ACL.

When applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When applied to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

The main benefit with Port ACL is that it can filter IP traffic (using IP access lists) and non-IP traffic (using MAC access list). Both types of filtering can be achieved—that is, a Layer 2 interface can have both an IP access list and a MAC access list applied to it at the same time.

Check out the below link for configuring port based ACL hope that helps out your query !!

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1119764

Regards

Ganesh.H

0 Helpful

Dipesh Patel
Level 2
Level 2
In response to Ganesh Hariharan

‎01-14-2010 08:19 AM

Dear Ganesh / Guisler,

I understand Port Based ACL and tried to implement  as shown in previous post. But it is not working.

Can you help me to make it? Is there any error in it.

Regards,

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Dipesh Patel

‎01-15-2010 03:18 AM

Hi Dipesh,

As per your requirement below

10.0.0.1 to 10.0.0.10 can access 10.0.254.0 segment

10.0.190.50 can access 10.0.254.0 segment

10.0.255.0 segment can access 10.0.254.0 segment

and as per the diagram traffic segment 10.0.0.1 to 10.0.254.0 is coming in different port,10.0.190.50 is coming in different ports and 10.0.255.0 is coming in  different port.

I would suggest you to create three different ACL and apply these acl in in direction of the ports from where they are entering the distribution switch.

Hope that clears your query !!

Regards

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card