Options

Switch VLAN ACL Basic question

satishtechsatishtech Member Posts: 243
in CCNA & CCENT
Created an ACL on a Switch and applied it to the VLAN Interface.
I cannot filter traffic to the connected gateway router.

PC
Switch
Router
192.168.1.3 192.168.1.10(VLAN 1) 192.168.1.1

I am able to filter traffic to the switch.

ACL on Switch:

access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
access-list 101 permit ip any any

interface Vlan1
ip address 192.168.1.10 255.255.255.0
ip access-group 101 in

SSH is configured on Router.
· Share on FacebookShare on Twitter

Comments

  • Options
    pinkiaiiipinkiaiii Member Posts: 216
    not sure but seems trouble would be with first acl line.
    simpler way would been just to say deny ip host 192.168.3.1,and 1.1 and third line permit any while using wildcard masks on them two addresses.
    · Share on FacebookShare on Twitter
  • Options
    GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    satishtech wrote: »
    Created an ACL on a Switch and applied it to the VLAN Interface.
    I cannot filter traffic to the connected gateway router.

    PC
    Switch
    Router
    192.168.1.3 192.168.1.10(VLAN 1) 192.168.1.1

    I am able to filter traffic to the switch.

    ACL on Switch:

    access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
    access-list 101 permit ip any any

    interface Vlan1
    ip address 192.168.1.10 255.255.255.0
    ip access-group 101 in

    SSH is configured on Router.

    Okay let's look at this and see what you're trying to do. You've used an extended access list to deny tcp traffic on port 22 (SSH) from your PC (192.168.1.3) to your router (192.168.1.1), but to allow all other ip traffic.

    You don't need the word 'host' - in the absence of anything else it's assumed to be a host, and you've not used a mask (wildcards in ACLs are reversed to subnet masks so for an exact match you use zeros). It seems odd that you've configured SSH but then are denying access for this single PC, I'd have thought in the real world you might deny access to the entire network with the exception of your PC. Try this line instead of your first line:

    access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22

    Bare in mind only SSH should be blocked so all other traffic from the PC to the router will be allowed, including things like ping. You may have meant to use port 23 for Telnet thus forcing the use of the more secure SSH.
    · Share on FacebookShare on Twitter
  • Options
    LS1LS1 Member Posts: 12 ■□□□□□□□□□
    If this is to restrict CLI access, I would do this:

    en
    conf t
    access-list 1 deny host 192.168.1.3
    line vty 0 4
    access-class 1 in
    end
    · Share on FacebookShare on Twitter
  • Options
    satishtechsatishtech Member Posts: 243
    GDaines thank you it worked.

    MultiLayerSwitch(config)#access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22
    MultiLayerSwitch(config)#access-list 101 permit ip any any


    what was I doing wrong.

    This is Packet Tracer not real Routers.

    Why the following below does not work ?

    MultiLayerSwitch(config)#access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
    MultiLayerSwitch(config)#access-list 101 permit ip any any


    Another question :
    Single switch , 3 PC's , 2 clients and a server.
    I am trying to filter traffic to the server.
    ACL is applied to the VLAN to which all the PC's belong.
    I think this will not work as all pc's belong to the same VLAN.

    Is it possible to filter traffic using ACL's in switched environment,
    with all PC's on the same VLAN ?
    · Share on FacebookShare on Twitter
  • Options
    GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    satishtech wrote: »
    GDaines thank you it worked.

    MultiLayerSwitch(config)#access-list 101 deny tcp 192.168.1.3 0.0.0.0 192.168.1.1 0.0.0.0 eq 22
    MultiLayerSwitch(config)#access-list 101 permit ip any any


    what was I doing wrong.

    This is Packet Tracer not real Routers.

    Why the following below does not work ?

    MultiLayerSwitch(config)#access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
    MultiLayerSwitch(config)#access-list 101 permit ip any any

    Although I thought I read somewhere that in the absence of a mask it is treated as an exact match as though the mask had been 0.0.0.0, I think that is where the problem was, you not including masks.
    satishtech wrote: »
    Another question :

    Single switch , 3 PC's , 2 clients and a server. I am trying to filter traffic to the server. ACL is applied to the VLAN to which all the PC's belong. I think this will not work as all pc's belong to the same VLAN.

    Is it possible to filter traffic using ACL's in switched environment with all PC's on the same VLAN ?

    I don't know without testing it, but even though they're on the same VLAN and share the same default gateway traffic still has to go 'in' to the vlan interface and back out to the other machines, so there's a small chance ACLs may still work. Certainly if you put the server in a different VLAN then it'll definitely work, but you'll then need to use router-on-a-stick or a layer3 switch to set up inter-vlan routing.
    · Share on FacebookShare on Twitter
  • Options
    ebohlmanebohlman Member Posts: 26 ■■■□□□□□□□
    satishtech wrote: »
    Is it possible to filter traffic using ACL's in switched environment,
    with all PC's on the same VLAN ?

    Yes, but it requires VACLs (which you asked about in another post):

    access-list 101 deny tcp host 192.168.1.3 host 192.168.1.1 eq 22
    access-list 101 permit ip any any

    vlan access-map BLOCK-HOST-3 10
    match ip address 101
    action drop
    vlan access-map BLOCK-HOST-3 20
    action forward
    exit

    vlan filter BLOCK-HOST-3 vlan-list 1
    · Share on FacebookShare on Twitter
Sign In or Register to comment.