Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
6
Replies

Switch ACL

jparnold.907
Level 1
Level 1

‎06-10-2014 06:47 PM - edited ‎03-07-2019 07:42 PM

Good Evening,

I am attempting to create an ACL to block all traffic from WorkstationA to WorkstationB but allow everything else through.  In this environment I only have rights to modify the configuration on SwitchB which is a 3750x running an IPbase image. I have already given this a few shots but I can't seem to get this one.

Here is an example:

I have tried the following on switch B:

ip access-list extended BLOCKA

deny ip host 192.168.1.20 any

permit ip any any

----

(conf int port that WorkstationB resides on)

ip access-group BLOCKA in

 

Is there any way to make this work when you only have access to SwitchB in this example?

Thank you in advance!

Labels:
0 Helpful
6 Replies 6

kcnajaf
Level 7
Level 7

‎06-10-2014 07:03 PM

Hi, Try applying the acl on the interface of router B that connect to router A. As per your acl the source is workstation A IP address and this will have to be blocked as it enter router B as you have placed acl inbound direction. Hope that helps. Regards Najaf
0 Helpful

jparnold.907
Level 1
Level 1
In response to kcnajaf

‎06-10-2014 07:05 PM

Thank you for the reply Najaf.  Unfortunately I only have access to configure SwitchB.  I have no control over any other devices in the topology.  Any other ideas? 

0 Helpful

kcnajaf
Level 7
Level 7
In response to jparnold.907

‎06-10-2014 07:39 PM

Sorry,

My mistake. I read as you have access to router B and not switch B :-(

Since you have your switch configured as L2 your acl will not have any affect

 

 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎06-10-2014 07:05 PM

Hi,

Is switch-B a layer-2 or a layer-3 device?

If it is layer-2, your ACL is not going to block host-A

HTH

0 Helpful

jparnold.907
Level 1
Level 1
In response to Reza Sharifi

‎06-10-2014 07:10 PM

Thank you for the reply Reza.  This 3750x is running IPBase image but is not really performing any Layer 3 functions.  It is just hanging off of RouterB which is handling all layer 3.

0 Helpful

Mitesh Manwatkar
Level 1
Level 1

‎06-10-2014 10:45 PM

u shud use vlan acl (vacl) to achieve d desired result on switch. since it is 3750-x it supports vacl.

config can b as follows:

 

ip access-list extended BLOCK_A

permit ip source dest

 

ip access-list extended PERMIT_ANY

permit ip any any

 

vlan access-map A_To_B 10

match ip address BLOCK_A

action drop

 

vlan access-map A_To_B 20

match ip address PERMIT_ANY

action forward

 

vlan filter A_To_B vlan-list source vlan id

 

Relpy me if it solves ur issue

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card