03-13-2015 06:05 AM - edited 03-07-2019 11:04 PM
Dears,
I have configured the following VLANs on my 3560 Cisco switch :
InterVlan routing is allowed between them, however I want to configure the switch to let specific host to have access to all VLANs while all other Hosts to only have connectivity to the members in their VLANs only.
Any suggestions ???
Best Regards,
Begad Ahmed
03-13-2015 06:58 AM
ACL?!
03-13-2015 08:00 AM
Yep, Agree. VACL is the only thing I can think of.
03-13-2015 09:02 AM
yep extended ACL can work, like if you are using Vlan interfaces on the same switch for inter-vlan routing; you can apply your extended ACL on Vlan interface and if you are using a router for inter-vlan routing (router on a stick), you can apply your ACL there at router.
03-13-2015 09:45 AM
thanks all for your feedback. I want to create the ACL based on the mac address of the host that should have access to all VLANs. Is it possible ???
Best Regards,
Begad Ahmed
03-13-2015 09:56 AM
you can assign them static IP addresses or you can bind their MAC addresses to specific IP addresses and then use those IP in your ACL ....
Hope it helps
03-13-2015 10:39 AM
Actually, I cannot use static IP address, as this host will be moving between VLANs but every time it is connected to any of the VLANs, I want him to have access to all VLANs (30, 40 & 50)
For example, if this host connected to VLAN 30, it will have IP address in the range of 10.0.30.0/24, and if it is connected to VLAN 40, it will have IP address in the range of 10.0.40.0/24.
That's why I want to configure the ACL based on the mac address
Best Regards,
Begad Ahmed
03-13-2015 10:40 AM
yes you can try that in your scenerio ... one IP per host/MAC in each vlan
03-13-2015 10:43 AM
How can I configure an ACL based on the mac address to fulfill my requirement ???
please advice ??!!
Best Regards,
Begad Ahmed
03-13-2015 10:47 AM
As far as i know acl will be ip based. And you can only specify ip addresses to access specific ip in cisco 3560. How many vlans you have? if two, then its not much of an effort....
03-13-2015 01:58 PM
u can try :
Switch(config)# mac access-list extended simple-mac-acl
Switch(config-ext-macl)# permit host 000.000.011 any
Switch(config)# interface gigabitEthernet 6/1
Switch(config-if)# mac access-group simple-mac-acl in/out
03-14-2015 04:55 AM
Thanks for the info. ... I never tried that before, will try now!
:)
03-13-2015 12:42 PM
when I checked the reply chain, maybe private vlans are a way for you?
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html
03-14-2015 03:44 AM
This will work if the filtering is based on IP address ( i think it will be a good choice compared to MAC based)
Let say that special host is 192.168.30.100 from VLAN 30
and networks are
vlan 30 - 192.168.30.0/24
vlan 40 - 192.168.40.0/24
vlan 80 - 192.168.50.0/24
ip access-list 101 permit host 192.168.30.100 any
ip access-list 101 permit 192.168.30.0 255.255.255.0 192.168.30.0
ip access-list 101 permit 192.168.40.0 255.255.255.0 192.168.40.0
ip access-list 101 permit 192.168.50.0 255.255.255.0 192.168.50.0
route-map RM_101 permit 10
match ip address 101
int vlan 30
ip policy route-map RM_101
int vlan 40
ip policy route-map RM_101
int vlan 50
ip policy route-map RM_101
Hope this will help you somehow.
P.S: Pls mark it correct answer if so..
Regards
Suresh
03-14-2015 03:59 AM
This is exactly what I want to do, but I want to configure the ACL based on the MAC address of the host, as I don't want to configure static IP address for this Host.
Is it possible ???
Best Regards,
Begad Ahmed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide