Switch VLAN ACL Basic question
satishtech
Member Posts: 243
in CCNA & CCENT
Created an ACL on a Switch and applied it to the VLAN Interface.
I cannot filter traffic to the connected gateway router.
PC
Switch
Router
192.168.1.3 192.168.1.10(VLAN 1) 192.168.1.1
I am able to filter traffic to the switch.
ACL on Switch:
access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
access-list 101 permit ip any any
interface Vlan1
ip address 192.168.1.10 255.255.255.0
ip access-group 101 in
SSH is configured on Router.
I cannot filter traffic to the connected gateway router.
PC
Switch
Router
192.168.1.3 192.168.1.10(VLAN 1) 192.168.1.1
I am able to filter traffic to the switch.
ACL on Switch:
access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
access-list 101 permit ip any any
interface Vlan1
ip address 192.168.1.10 255.255.255.0
ip access-group 101 in
SSH is configured on Router.
Comments
-
pinkiaiii Member Posts: 216not sure but seems trouble would be with first acl line.
simpler way would been just to say deny ip host 192.168.3.1,and 1.1 and third line permit any while using wildcard masks on them two addresses. -
GDaines Member Posts: 273 ■■■□□□□□□□satishtech wrote: »Created an ACL on a Switch and applied it to the VLAN Interface.
I cannot filter traffic to the connected gateway router.
PC
Switch
Router
192.168.1.3 192.168.1.10(VLAN 1) 192.168.1.1
I am able to filter traffic to the switch.
ACL on Switch:
access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
access-list 101 permit ip any any
interface Vlan1
ip address 192.168.1.10 255.255.255.0
ip access-group 101 in
SSH is configured on Router.
Okay let's look at this and see what you're trying to do. You've used an extended access list to deny tcp traffic on port 22 (SSH) from your PC (192.168.1.3) to your router (192.168.1.1), but to allow all other ip traffic.
You don't need the word 'host' - in the absence of anything else it's assumed to be a host, and you've not used a mask (wildcards in ACLs are reversed to subnet masks so for an exact match you use zeros). It seems odd that you've configured SSH but then are denying access for this single PC, I'd have thought in the real world you might deny access to the entire network with the exception of your PC. Try this line instead of your first line:
access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22
Bare in mind only SSH should be blocked so all other traffic from the PC to the router will be allowed, including things like ping. You may have meant to use port 23 for Telnet thus forcing the use of the more secure SSH. -
LS1 Member Posts: 12 ■□□□□□□□□□If this is to restrict CLI access, I would do this:
en
conf t
access-list 1 deny host 192.168.1.3
line vty 0 4
access-class 1 in
end -
satishtech Member Posts: 243GDaines thank you it worked.
MultiLayerSwitch(config)#access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22
MultiLayerSwitch(config)#access-list 101 permit ip any any
what was I doing wrong.
This is Packet Tracer not real Routers.
Why the following below does not work ?
MultiLayerSwitch(config)#access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
MultiLayerSwitch(config)#access-list 101 permit ip any any
Another question :
Single switch , 3 PC's , 2 clients and a server.
I am trying to filter traffic to the server.
ACL is applied to the VLAN to which all the PC's belong.
I think this will not work as all pc's belong to the same VLAN.
Is it possible to filter traffic using ACL's in switched environment,
with all PC's on the same VLAN ? -
GDaines Member Posts: 273 ■■■□□□□□□□satishtech wrote: »GDaines thank you it worked.
MultiLayerSwitch(config)#access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22
MultiLayerSwitch(config)#access-list 101 permit ip any any
what was I doing wrong.
This is Packet Tracer not real Routers.
Why the following below does not work ?
MultiLayerSwitch(config)#access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
MultiLayerSwitch(config)#access-list 101 permit ip any any
Although I thought I read somewhere that in the absence of a mask it is treated as an exact match as though the mask had been 0.0.0.0, I think that is where the problem was, you not including masks.satishtech wrote: »Another question :
Single switch , 3 PC's , 2 clients and a server. I am trying to filter traffic to the server. ACL is applied to the VLAN to which all the PC's belong. I think this will not work as all pc's belong to the same VLAN.
Is it possible to filter traffic using ACL's in switched environment with all PC's on the same VLAN ?
I don't know without testing it, but even though they're on the same VLAN and share the same default gateway traffic still has to go 'in' to the vlan interface and back out to the other machines, so there's a small chance ACLs may still work. Certainly if you put the server in a different VLAN then it'll definitely work, but you'll then need to use router-on-a-stick or a layer3 switch to set up inter-vlan routing. -
ebohlman Member Posts: 26 ■■■□□□□□□□satishtech wrote: »Is it possible to filter traffic using ACL's in switched environment,
with all PC's on the same VLAN ?
Yes, but it requires VACLs (which you asked about in another post):
access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
access-list 101 permit ip any any
vlan access-map BLOCK-HOST-3 10
match ip address 101
action drop
vlan access-map BLOCK-HOST-3 20
action forward
exit
vlan filter BLOCK-HOST-3 vlan-list 1