Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5779
Views
0
Helpful
21
Replies

Req: Deny ip address range per interface by name access-list

Go to solution
csawest.dc
Level 3
Level 3

‎12-19-2009 02:48 AM - edited ‎03-06-2019 09:01 AM

Dear Experts,

I need deny ip address range on per interface in cisco 3550 48P switch. by name access-list.

My diagram as given bellow.


interface Port 1 uplink
interface Port 2 uplink

interface port 3 to 48 connected with different IP DSLAMs to different customers.

interface port 3 customers ip range from 172.16.47.1 to 254
interface port 4 customers ip range from 172.16.51.1 to 254
interface port 5 customers ip range from 172.16.49.1 to 254

all the interface ports are in same VLAN (Vlan-2)

I need on interface  port 3 deny ip range 172.16.51.1 to 254(which is port 4 customers) and 172.16.49.1 to 254 (which is port 5 customers)
          on interface port 4 deny ip range 172.16.47.1 to 254(which is port 3 customers) and 172.16.49.1 to 254 (which is port 5 customers)
          on interface port 5 deny ip range 172.16.47.1 to 254(which is port 3 cus) and 172.16.51.1 to 254 (which is port 4 cus)

how can i make name access-list to deny ip address on per interface.

we assigned all ip address to customers pc not in cisco 3550 switch.

so how can i deny ip address by access-list. inter port 3 deny ip range of inter port 4 and 5 and on interface port 4 deny ip range of port 3 and 5.


so please hlp me regarding above mention details.

Thanks in ADV,

Vaib...

Labels:
0 Helpful
21 Replies 21

Go to solution
csawest.dc
Level 3
Level 3
In response to csawest.dc

‎12-23-2009 04:38 AM

Dear Ganesh,

Please suggest me my last  confution that is,

but sir if suppose port 3 customers (sanchar) given ip address of port 4 range (AD) ok  after they are also access both the server cause all the ports are same VLAN and configure to access both server ips that's why,

i need if port 3 customers given by mistake ip address of port 4 range then they are not access to both the server thats why i need to

bellow mention command. i dont know it is realy need to apply or not.

should i need to apply  on per interface  ip access-group xxxx in command.

what you suggest to me ??

Pl guide me.

Thanks in ADV,

Vaib...

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to csawest.dc

‎12-23-2009 07:11 AM

Sorry Vaibhav,

Got struck in a meeting that why unable to answer your query.First clear me how the port 3 user will get the ip address of the port 4 users.

And as your config. also says port3,port4 and port5 user need to access only the above said servers.

and ip access-gropu command need to apply on an interface,here all your switch ports are L2 ports.So my suggestion is you have created 3 acl for three ports customer ip address permitting for the two servers.

Apply the vlan acces-map in vlan 2 and check that those partcular ip are only talking to server not even to other port user ip address also.

Once you faces any issue after applying vlan acces map in vlan to roll back or to delete the vlan acess-map just remove from the vlan where you have applied.

no vlan filter vlan 2 this will be the command to make as usual what is the current traffic flow.

Hope that clears your query !!

Regards

Ganesh.H

0 Helpful

Go to solution
csawest.dc
Level 3
Level 3
In response to Ganesh Hariharan

‎12-23-2009 08:51 PM

Dear Ganesh,

You are G-Gentleman person!!!

Now i have two query

1 some of the users have access from their office  and home also with same IP with their userID ok

  their office connected with port 3 and their home connected port 5.

  Now our planning to stop it. they are not able to connect same ip from both the port, only permit when they are connect with perticulary port which is connect with permited ip in this port.

2.  now these days we are facing huge problem when flooding occure from our customers or loop generate by mistake in their local swtich at customers end.

The problem is when flooding occure from any ports that time our server is hange or slow and effect to our all costmers they are not able to ping our server from our customers,

So how can stop it or control per port when flooding occure that time that port shutdown so that's why no any effect to other customers.

at present in cisco 3550 more than 60 users connected per port.

So how can i solve this issue when flooding or loop generate to control or stop, i need maximum security per port.

Thanks in ADV,

Vaib...

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to csawest.dc

‎12-23-2009 09:50 PM

Dear Vaibhav,

For the below mentioned query i will suggests don't go with vlan access map as vlan access map will filter the traffic as per the acl match from any port tarffic is coming in to vlan.

Check out the following links for acl on port based and strom control methods in switches for both the queris you have asked.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sec_ipacls.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_se/configuration/guide/swtrafc.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swv6acl.html

Hope this resolves your query !!

Regards

Ganesh.H

0 Helpful

Go to solution
csawest.dc
Level 3
Level 3
In response to Ganesh Hariharan

‎12-23-2009 10:18 PM

Dear Ganesh,

Please check my configuration templates in cisco 3550 from port 3 to 48 which is connected with DSLAM, accept port 1 and 2 both are uplink port connected with both the server.

What you suggest me my bellow config templates ??? needs to chang ??

CONFIGURATION IN  GLOBAL MODE :

mac access-list extended Block-Invalid-Frames
deny   any host 0180.c200.0000
deny   any host 0180.c200.0001
deny   any host 0180.c200.0002
deny   any host 0180.c200.0003
deny   any host 0100.0c00.0000
deny   any host 0100.0ccc.cccc
deny   any host 0100.0ccc.cccd
deny   any host 0100.0ccd.cdce
deny   any host 0100.0ccd.cdd0
permit any any

For Sanchar DSLAM   on port 3

ip access-list extended Sanchar
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.45.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.28.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 1
-map#match ip address sanchar
-map#action forward

FOr AD DSLAM        on port 4

ip access-list extended AD
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.47.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.30.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 2
-map#match ip address AD
-map#action forward

 
For TELECOM DSLAM   on port 5

ip access-list extended TELECOM
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.49.0  0.0.0.255 host 172.16.0.2
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.1
permit ip 172.16.32.0  0.0.0.255 host 172.16.0.2
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.1
permit ip 192.168.1.0  0.0.0.255 host 172.16.0.2
deny ip any any

config#vlan access-map Permittedips 3
-map#match ip address TELECOM
-map#action forward


Vlan filter Permittedips vlan-list 2

configuration on INTERFACE MODE :

interface FastEthernet0/3

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group sanchar in
 no cdp enable

interface FastEthernet0/4

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group AD in
 no cdp enable

interface FastEthernet0/5

switch port mode access

switch access vlan 2

switchport portected

switchport port-security
switchport port-security maximum 60
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 5.00 2.00
switchport block multicast
switchport block unicast
storm-control action trap
mac access-group Block-Invalid-Frames in

ip access-group TELECOM in
 no cdp enable

Please hlp me regarding above mention config telplates.

Thanks once again!!!

Vaib...

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to csawest.dc

‎12-23-2009 11:09 PM

Hi Vaibhav,

It should work, just check for deny mac-address as you are applying on all interface because acl permitted ip is not having the same mac-address.

Before doing nay changes take complete backup of the switch and also have roll back plan in hand.

All the best  !!

Regards

Ganesh.H

0 Helpful

Go to solution
csawest.dc
Level 3
Level 3
In response to Ganesh Hariharan

‎12-23-2009 11:29 PM

Dear Ganesh,

Ok sir I will try to do this within couple of days and then let you know  what heppand.

anyways thanks a lot for your great support.

Have a Nice day!!!

Cheers!!!

Vaib...

0 Helpful
Customers Also Viewed These Support Documents