Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
20
Helpful
9
Replies

Switch 2960G - unable to put an ACL in OUT. The switch can only do IN.

pbridoux
Level 1
Level 1

‎02-07-2018 02:43 AM - edited ‎03-08-2019 01:44 PM

Hello,

On a switch in production, we have 3 PLC (Programmable Logic Controller) very sensitive. They are each connected to an interface rj45 of this switch.

For some time, the engineers who manage these PLCs have problems.

By sniffing one of the PLC, the traffic is very abundant of all kinds (ARP request, printer multicast, ...).

I wanted to restrict the traffic by letting only certain IP addresses pass. But ACLs are IN only.

My question: how to block in OUT? (new switch, license ...).
At this point in the network, I only need a switch with 6 rj45 interfaces and 2 sfp optical fiber interfaces. Network level, the switch is in a loop (redundancy) of spanning-tree (trunk) with several vlan.

Here is the detail of the switch (show version):
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Release 12.2 (58) SE2, RELEASE SOFTWARE (fc1)

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Release 12.2 (44) SE5, RELEASE SOFTWARE (fc1)

BT2C253 uptime is 1 year, 25 weeks, 3 days, 18 hours, 2 minutes
System returned to ROM by power-on
System restarted at 17:40:51 UTC Fri Aug 12 2016
System image file is "flash: c2960-lanbasek9-mz.122-58.SE2 / c2960-lanbasek9-mz.122-58.SE2.bin"

cisco WS-C2960G-24TC-L (PowerPC405) processor (D0 revision) with 65536K bytes of memory.
Model number: WS-C2960G-24TC-L
------ ----- ----- ---------- ----------
* 1 24 WS-C2960G-24TC-L 12.2 (58) SE2 C2960-LANBASEK9-M

 

=> You'll understand, I use google translate. Indulgence please

Labels:
0 Helpful
9 Replies 9

Deepak Kumar
VIP Alumni
VIP Alumni

‎02-07-2018 04:10 AM

Hi,

I can see your switch is having LAN base Image but for required ACL configuration minimum you need IP Base Image on your switch. So it is possible in your switch with the current image.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

pbridoux
Level 1
Level 1
In response to Deepak Kumar

‎02-07-2018 04:45 AM

Hi Kumar,

Indeed, it has a LANBASE image.

Can I install an IPBASE image on this switch?

No problem level license?

BR
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to pbridoux

‎02-07-2018 04:55 AM

No, It's not possible. You have to go with another hardware.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

pbridoux
Level 1
Level 1
In response to Deepak Kumar

‎02-07-2018 06:27 AM

I just unpacked a 3750X-12S-S (IPBASE) and put it at the last available update 15.2 (4) E5

Config mode on an interface: IP ACCESS-GROUP XYZ ?
And it answers me: IN ! not OUT (?)

I turn on IP ROUTING, same thing.

Do I have to do anything specific before I want to use OUTbound ACLs?

In the meantime, I go to the stock to look for an IPservices model, just to test.

philippe
0 Helpful

pbridoux
Level 1
Level 1
In response to pbridoux

‎02-07-2018 07:08 AM

I unpacked a 3750G-12S-E

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE4

oh surprise ...

Switch(config)#interf gi1/0/1
Switch(config-if)#ip access-group 100 ?
in inbound packets ===========> outbound packets ?

Switch(config-if)#

 

I connect on switch WS-C3850-12S 

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.05SE

License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices

 

AEBR01(config)#interf GI2/0/8
AEBR01(config-if)#ip access-group XYZ ?
in inbound packets
out outbound packets

AEBR01(config-if)#

 

Well, now it's okay.
But, the switch is too expensive to go to the factory, it is specifically the type of machine that is used as core of the network.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to pbridoux

‎02-07-2018 07:55 AM

Apply ACL in L3 interface as L3 physical interface witch required No switchport command to convert from L2 to L3 or in the VLAN interface.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Diana Karolina Rojas
Cisco Employee
Cisco Employee
In response to pbridoux

‎02-07-2018 07:09 AM

Hello pbridoux,

 

Switchports only permit inbound ACL, in your 3750X you have to enable IP routing and also configure your interface as a layer 3 interface with the  "no switchport"command in order to use an outbound ACL. Try this and tell me the result.

 

---DO NOT FORGET TO RATE USEFUL POST---

 

Regards,

pbridoux
Level 1
Level 1
In response to Diana Karolina Rojas

‎02-07-2018 07:37 AM

Hello Diana,

I tried ... and you're right.
But, what are the restrictions of a "no switchport" interface?

Can I put a PLC (very specific Siemens S5 or S7 type system) that can communicate only with MAC-address?

BR

philippe
0 Helpful

Diana Karolina Rojas
Cisco Employee
Cisco Employee
In response to pbridoux

‎02-07-2018 07:54 AM - edited ‎02-07-2018 07:54 AM

The restrictions are that is a IP/routable interface, so you have to assign an IP address to it, so you can not see the network at layer 2. Have you considered use a MAC ADDRESS ACL?

 

Regards,

Customers Also Viewed These Support Documents