cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2930
Views
5
Helpful
21
Replies
Highlighted
Beginner

Is it possible to configure 3560 switch to allow only specific host to have access to all VLANs ????

Dears,

I have configured the following VLANs on my 3560 Cisco switch :

  • VLAN 30
  • VLAN 40
  • VLAN 50

InterVlan routing is allowed between them, however I want to configure the switch to let specific host to have access to all VLANs while all other Hosts to only have connectivity to the members in their VLANs only. 

Any suggestions ???

Best Regards,

Begad Ahmed

 

21 REPLIES 21
Highlighted
Beginner

ACL?!

 

Highlighted
Beginner

Yep, Agree. VACL is the only thing I can think of.

Highlighted
Beginner

yep extended ACL can work, like if you are using Vlan interfaces on the same switch for inter-vlan routing; you can apply your extended ACL on Vlan interface and if you are using a router for inter-vlan routing (router on a stick), you can apply your ACL there at router.

Highlighted

thanks all for your feedback. I want to create the ACL based on the mac address of the host that should have access to all VLANs. Is it possible ???

 

Best Regards,

Begad Ahmed

 

Highlighted

you can assign them static IP addresses or you can bind their MAC addresses to specific IP addresses and then use those IP in your ACL ....

Hope it helps

Highlighted

Actually, I cannot use static IP address, as this host will be moving between VLANs but every time it is connected to any of the VLANs, I want him to have access to all VLANs (30, 40 & 50) 

For example, if this host connected to VLAN 30, it will have IP address in the range of 10.0.30.0/24, and if it is connected to VLAN 40, it will have IP address in the range of 10.0.40.0/24.

That's why I want to configure the ACL based on the mac address 

 

Best Regards,

Begad Ahmed

 

 

Highlighted

yes you can try that in your scenerio ... one IP per host/MAC in each vlan

Highlighted

How can I configure an ACL based on the mac address to fulfill my requirement ???

 

please advice ??!!
 

Best Regards,

Begad Ahmed

 

Highlighted

As far as i know acl will be ip based. And you can only specify ip addresses to access specific ip in cisco 3560. How many vlans you have? if two, then its not much of an effort....

Highlighted

u can try :

Switch(config)# mac access-list extended simple-mac-acl

 

Switch(config-ext-macl)# permit host 000.000.011 any


Switch(config)# interface gigabitEthernet 6/1

 

Switch(config-if)# mac access-group simple-mac-acl in/out

 

Highlighted

Thanks for the info. ... I never tried that before, will try now!

:)

Highlighted
Contributor

when I checked the reply chain, maybe private vlans are a way for you?

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

 

Highlighted
Beginner

This will work if the filtering is based on IP address ( i think it will be a good choice compared to MAC based)


Let say that special host is 192.168.30.100 from VLAN 30
and networks are

vlan 30 - 192.168.30.0/24
vlan 40 - 192.168.40.0/24
vlan 80 - 192.168.50.0/24

ip access-list 101 permit host 192.168.30.100 any
ip access-list 101 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list 101 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list 101 permit 192.168.50.0 255.255.255.0 192.168.50.0

route-map RM_101 permit 10
 match ip address 101

int vlan 30
 ip policy route-map RM_101

int vlan 40
 ip policy route-map RM_101

int vlan 50
 ip policy route-map RM_101

 

Hope this will help you somehow.

P.S: Pls mark it correct answer if so..

 

Regards

Suresh

Highlighted

This is exactly what I want to do, but I want to configure the ACL based on the MAC address of the host, as I don't want to configure static IP address for this Host.

Is it possible ???

 

Best Regards,

Begad Ahmed

Content for Community-Ad