04-12-2013 06:23 AM - edited 03-07-2019 12:47 PM
Hi guys,
I'm a noob so please don't mind any eventual mistakes
What is the correct way to set up this:
1. Only Computer A should be able to access Computer B. Computer A can also access anything that it demands.
2. Computer B should access ONLY Computer A.
3. All the other traffic should be untact, forwarded.
Computer A and Computer B belong to the same VLAN 1. The device is Catalyst 2960.
Thanks,
stipes.
04-12-2013 07:21 AM
Give this a try:
ComputerA = 192.168.1.1
ComputerB = 192.168.1.2
vlan access-map Allowed deny 10
match ip address 101
action drop
vlan access-map Allowed permit 20
action forward
access-list 101 deny ip host 192.168.1.2 host 192.168.1.1
access-list 101 permit ip host 192.168.1.2 any
vlan filter Allowed vlan-list 1
HTH,
John
*** Please rate all useful posts ***
04-12-2013 08:56 AM
Thanks but I'd like to do it on the 2. Layer, like a MAC access-map
04-12-2013 09:10 AM
Hi Stipe,
Please find below link and let me know if ths is helpfull;
Regards
Inayath
*Plz rate all usefull posts.
04-12-2013 09:15 AM
Thanks, but I saw these before.
I would just like some sample code because I can't find it online.
I tried something myself but it didn't work.
04-12-2013 11:50 AM
Hello Stipe,
I hope I did not make a mistake.
MAC PC_A: aaaa.aaaa.aaaa
MAC PC_B: bbbb.bbbb.bbbb
mac access-list extended PCB
deny host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb
deny host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa
permit host bbbb.bbbb.bbbb any
permit any host bbbb.bbbb.bbbb
vlan access-map FILTER 1
match mac address PCB
action drop
vlan access-map FILTER 2
action forward
vlan filter FILTER vlan-list 1
Best Regards
Please rate all helpful posts and close solved questions
04-13-2013 03:42 AM
Hi blau grana, thanks for your reply.
I tried your suggestion and it didn't work. It blocked ALL the traffic directed towards and from PC B.
After applied I couldn't access the PC B from any computer.
I double checked the MAC address so I'm certain I got nothing wrong there.
04-13-2013 09:52 AM
At least the switches I worked with did not support MAC ACLs for IPv4 (0800) traffic, only non IP traffic could be blocked. The reason why your VACL is blocking all traffic is because ARP packets are non-IP and are beeing dropped. MAC-ACLs are very dangerous for networks as they easily kill control plane traffic like BPDUs and LSAs.
You need to use John Blakley's approach or even better use private vlans.
04-13-2013 10:39 AM
Hello Stipe,
Pille is right, I completely forget that MAC ACL can be used only for non IP traffic. You have to use Vlan ACL but with IP addresses definition.
Try to use John's solution although I am not entirely sure if ACL 101 is correct.
Best Regards
Please rate all helpful posts and close solved questions
04-13-2013 05:47 PM
Hi guys,
thanks for the replies.
I tried the IP ACL and they did work but weren't completely satisfactory in a sense that my device is still available on pure layer 2 (network scanner could easily find it) so I just added the following to the end of my MAC ACL.
0x806 0x0
and it worked.
As I read on the Internet this should block the ARP Packets so I guess IP ACL aren't necessary after blocking ARP packets right?
04-14-2013 01:02 AM
I guess IP ACL aren't necessary after blocking ARP packets right?
teoretically yes, but if you block ARP packets hosts will not be able to find out MAC of some host. Lets say that someone will statically configure ARP - IP address binding, than host can communicate with each other with no problem.
I think you should deny communication with ACL as John in his first post suggested.
Best Regards
Please rate all helpful posts and close solved questions
04-14-2013 05:21 AM
As I read on the Internet this should block the ARP Packets so I guess IP ACL aren't necessary after blocking ARP packets right?
No. There are other ways of filling the arp table, like reading unicast flooded packets, DHCP requests or manual IP-MAC bindings. If you are fearful of layer2 attacks use your own subnet or private vlans.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide