Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL on ports

Status
Not open for further replies.
destinyml

destinyml

ISP
Apr 27, 2004
27
DK
Hi

I'm trying to setup access control lists on my cisco 2960 switch. The idea is that each server connected to a switch port will have its own access control list. Eg. only allow ssh access to a server from a specific IP address.

My problem is that that the switch interface is limited to only allowing the "in" parametre of the "ip access-group" command. That is I can only use acl for controlling access of server outboud usage.

Any ideas how to accomplish my goal? Should I use VLANs?
 
Sort by date Sort by votes
You could use vlans, or isolate one switch to host your servers, to create a sort of "server farm", and filter traffic there, but then you have to worry about blocking other valid traffic. It might be easier to just do a personal firewall on the server. Are you using Windows or Unix?
 
Upvote 0 Downvote
I don't have access to the os of the servers connected to the switch, so a software firewall is not posible.

If I set up a vlan for each port I will be able to define both "in" and "out" acls (as far as I understand) but the servers connected to the switch also need to be able to communicate internally and they are on the same subnet. I haven't got too much experience with vlans, so I'm not sure if I can use vlans. And how to.
 
Upvote 0 Downvote
Yeah, we were just talking about something like this the other day:

So, the servers need to be able to contact each other, but clients should only be able to connect to a specific port? Put the servers all on one vlan, the clients in another and setup vlan routing on your switch. Then, put an access list on the server vlan interface that will only allow incoming ssh from certain clients. Granted, I don't know if your 2960 supports intervlan routing.
 
Upvote 0 Downvote
There was a really good cisco site to look this up and I can't remember where it was...

Anyway, yes, a 3750 should do, but no, it won't work between clients and servers on the same subnet because they both need access to the same gateway. 1 subnet to 1 vlan.

You could either segment your subnet, or perhaps use a vlan access list which we discussed in the other thread.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
111
testman1
testman1
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
80
BleuBell
BleuBell
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
165
iggsterman
iggsterman
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
93
burtsbees
burtsbees
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
101
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top