Cisco Switching/Routing :: 3550 / Access List - Block One Ip Or Port

Jan 9, 2012

I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
 
interface FastEthernet0/24
no switchport
ip address 192.168.0.2 255.255.255.0
 
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.

View 3 Replies


ADVERTISEMENT

Cisco Switching/Routing :: 1841 Need To Block MAC Address / Applied Command Access-list

Sep 4, 2012

I am using cisco 1841 LAN router, I need to block MAC address i have applied the command access-list 1102 deny 0000.0000.0000.0000 mac address..... but it does not work.

View 24 Replies View Related

Block 1433 Port With Access List For Specific Ip Address?

Jan 2, 2012

I want to block the sql port access of my server to all except few of my ip addresses while access list on Cisco Router IOS how do i do that.

View 3 Replies View Related

Cisco Switching/Routing :: How To Block Single Mac Address In 3550 Switch

Nov 16, 2011

I need to block this mac address in  my 3550 switch.i enable port security but this mac address comes and do the violation and port is shut down.

View 3 Replies View Related

Cisco Switching/Routing :: 3550 / Routing Protocol Neighbor Between SVI And Routed Port?

Apr 18, 2012

I have a collapsed core design with routed ports between all components. Access layer switches, data center switches, core/aggregation. All routed (no spanning-tree at all).Now...I have to add an IBM BladeCenter with a BNT layer 3 switch to my topology. However, those nasties don't seem to support routed ports.How can I have a routed port on my cisco switch and a standard access port on the BNT and still establish an adjacency with an SVI? I am running OSPF, but I am labbing this in my home lab with 2 x 3550s and EIGRP.
 
On SW2:
*Mar  1 00:57:00.711: EIGRP: Received HELLO on Vlan100 nbr 10.1.1.1
*Mar  1 00:57:00.711:   AS 999, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Mar  1 00:57:02.303: EIGRP: Sending UPDATE on Vlan100 nbr 10.1.1.1, retry 9, RTO 5000 tid 0
*Mar  1 00:57:02.303:   AS 999, Flags 0x1, Seq 17/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

[code].....

View 10 Replies View Related

Cisco Switching/Routing :: 3550 - Redirecting Port 80 Traffic?

Dec 12, 2011

How do I redirect my port 80 traffic to my Trend Micro IWSVA in my 3550 switch? How do I use PBR? Can I use WCCP in my 3550?

View 3 Replies View Related

Cisco Switching/Routing :: 3550 - Port Security Verification

Apr 1, 2013

I'm trying to test port-security in my c3550 but when I show port-security int f0/23 shows it only "Disabled" as below:
 
run
interface FastEthernet0/23switchport access vlan 200switchport mode dynamic desirableswitchport port-security mac-address stickyspanning-tree portfast 

View 2 Replies View Related

Cisco Switching/Routing :: Port Unreachable Messages On 3550 Switch?

Jan 24, 2012

While working at a client site today, I was troubleshooting some ICMP connectivity for a network we have created.I turned on 'debug ip icmp" on the 3550 switch int he middle, and was inundated with the following debug output:
 
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5
Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

[code]....
 
This output fires several times a second, and based on how often it is firing, I am curious if it may be a culprit with respect to the fact that the client has indicated that they have some slow internet.Should the next step be to look at the workstation at 172.16.1.5? 

View 10 Replies View Related

Cisco Switching/Routing :: 3750 Populate All Switch Port With 100 Filter List

Oct 27, 2011

If i fully populate all switch port (Cisco 3750 series) with 100 filter list on each port is it recommendable.

View 4 Replies View Related

Cisco Switching/Routing :: 3550 Wireless Access Points

Feb 11, 2013

what I can do to accomplish my end goal of safe public wifi and configuration.I have 2 domain controllers (for redundancy) with a split scope for DHCP and they both serve DNS. I have VLAN 2 (management), VLAN 3 (Servers), VLAN 4 (Wired Access), VLAN 6 (Wireless Access) and VLAN 480 (Outside Wireless). I have setup INT VLANs for all of these on my main router (Cisco 3550) with the ip-helper address to the DC for all but the VLAN 480. All of this works great, and the scopes are setup just like the VLANs. (ie 192.168.2.0 (management) .3 (servers) etc.)I was wondering if there is a way to have VLAN 480 get DHCP from the cisco 3550 as a random address say, 172.16.0.0 255.255.248.0?
 
On a side note, I have seperate Wireless Access Points for the outside. (From a guy before me) I understand you can have a guest wireless setup on the newer Access Points, and trunk (cisco term) the 2 VLANs and seperate them out with Access Control Lists so they don't talk to each other, but I would rather just give the VLAN 480 it's own DHCP from the router.

View 14 Replies View Related

Cisco Switching/Routing :: 3550 / VLans Not Able To Access Internet?

Jun 12, 2012

We have cisco 3550 switch i have configured 3 vlans in this switch vlans are not able to accessing internet

View 7 Replies View Related

Cisco Firewall :: Access-List Traffic Control Attempting To Block RDP 3389

Nov 7, 2012

I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels.  Tunnels appear to work.  I am lab'ing some additional controls that I would like to implement.  On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass).  I was hoping to lock things down a little without having to reconfigure all of the Tunnels.  My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN.  One port that I was attempting to block is RDP 3389.  When this ACL is applied to the inside interface it does not block Port 3389 at all.  What am I missing?  Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels? 
 
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
 
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny   tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
 
ip access-group 145 out interface Internal
 
This work great on a 2821 Router, but not so much on the ASA.

View 11 Replies View Related

Cisco Switching/Routing :: Sharing Internet Access Through A 3550 With 2 Vlans?

Apr 27, 2013

They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother. Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work?

View 23 Replies View Related

Cisco Switching/Routing :: Internet Access For 3550 Switch VLANs?

Feb 22, 2012

I have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.
 
This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.
 
I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.I've tried a few different things, but still can't make it to work.
 
Here is a short version of my 3550 configuration:

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption

[code]....

View 13 Replies View Related

Cisco Switching/Routing :: 3560 - Access List On InterVLan Routing

Dec 11, 2012

I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
 
The configuration is
interface Vlan1
description Data VLAN

[Code].....

View 14 Replies View Related

Cisco Firewall :: 5505 Static Nat With Port Redirection 8.3 Access List Using Un-Nat Port

Aug 15, 2012

I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.

View 12 Replies View Related

Cisco Switching/Routing :: 4500 And Mac Access List

Apr 11, 2011

I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
 
4th_floor(config)#mac access-list extended Drop-traffic
 
4th_floor(config-ext-macl)#permit any any ?
  protocol-family  An Ethernet protocol family
  <cr>
 
4th_floor(config-ext-macl)#permit any any protocol-family ?
  appletalk
  arp-non-ipv4
  decnet
[Code]....

View 1 Replies View Related

Cisco Switching/Routing :: 1800 ISR Without Access List?

Apr 19, 2012

I have an 1800 isr that is running with port forwarding only.  It is running a series of ip nat inside source static address port address port commands.  It does not have an access list bound to the outside interface.  This is working fine, but i am wondering if this is a security concern?

View 1 Replies View Related

Cisco Switching/Routing :: 6509 - Block All FTP Traffic On Port 21 From Servers In Network

Oct 3, 2012

I am attempting to block all FTP traffic on port 21 from the servers in my network, and only allow FTP from one server to go out.
 
I have created the following ACL
  
access-list 101 Permit ip any any
access-list 101 Permit 21 1.1.1.1 0.0.0.0 any
access-list 101 Deny 21 any any
 
and have applied it to my truck VPN that goes up to my firewall
 
int Vlanxxx
ip access-group 101 out
 
But when i test ftp is still allowed by all servers.

View 6 Replies View Related

Cisco Switching/Routing :: 192.168.10.10 / VLAN Access List Not Working?

Sep 5, 2012

Extended IP access list VLAN20
    10 permit tcp any any established
    11 permit icmp any any
    20 permit tcp any 192.168.20.0 0.0.0.255 eq 80
    30 permit tcp any 192.168.20.0 0.0.0.255 eq 443
    40 deny ip any any log

[code].....
 
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10

View 5 Replies View Related

Cisco Switching/Routing :: 3750 How To Write Access List

Jan 15, 2012

i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.IP address os Exchange server is 172.16.2.1, 172.16.2.2.

View 13 Replies View Related

Cisco Switching/Routing :: 4506 - Interface Access-list

Nov 14, 2011

I have one computer connected to the 4506 that management does not want this PC to have access to anything on our network except our DHCP server and the one printer that resides on our network.  I created an extended access list as follows.  Our network is the 10.10.x.x and the external addresses the PC needs to access is 11.1.x.x.  Once this PC is rebooted, it is unable to access DHCP to get the needed IP address it bounces back to a 169.x.x.x address and stops working.
 
Extended IP access list 2000
permit tcp host 10.10.200.242 host 11.1.200.1                           (gateway)
permit tcp host 10.10.200.242 host 11.1.2.151 eq smtp              (access from the pc to external server for smtp)
permit tcp host 10.10.200.242 host 11.1.2.149 eq 5721              (access from the pc to external server for remote access)
[ code]...
 
Then I applied the access-group 2000  on the interface the PC is connected to. What am I missing for DHCP to work and for this PC to always get the ip address that is reserved?

View 3 Replies View Related

Cisco Switching/Routing :: Not Able To Assign Access List To CMP Interface Of Nexus 7K

Feb 6, 2013

I am trying to harden my Nexus box and I am not able to ACL assigment command. Following are the commands I am trying to add.

interface cmp-mgmt module 5
Ip access-group NETWORK_MANAGEMENT_ACCESS in

View 1 Replies View Related

Cisco Switching/Routing :: 239 Multiple Static RPs And Access-list Behavior

Aug 14, 2012

I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?

View 2 Replies View Related

Cisco Switching/Routing :: Vlan Access List In 3750x Switch

Feb 6, 2013

I have a LIII Switch Cisco 3750x ,with diffrent Vlans , Some users are in Vlan 102 (10.10.2.0) and Some Users are in Vlan1 (10.10.1.0) , now i want to restrict  the Vlan102 users to access Vlan1 , i am pasting my configuration below , how to create a access list . 
 
interface Vlan1
ip address 10.10.1.36 255.255.255.0
ip helper-address 10.10.1.36

[Code].....

View 2 Replies View Related

Cisco Switching/Routing :: 2960 - Mac Access-list Time Based

Dec 11, 2011

I need to enable/disable a mac access-list on a 2960 scheduled by time. The switch has lanbasek9-mz.122-44.SE6. As the mac access-list can not support time ranges, I tried EEM but seems like it is not supported in this device.

View 1 Replies View Related

Cisco Switching/Routing :: 4948 - Configuration Of Access List For VLAN 2

May 19, 2013

In my core Switch,there are 2 v LAN(V LAN 1 & V LAN 2)my switch is Cisco 4948,so be default ip routing is enable in it. My all servers (DHCP,HTTP,HTTPS) are in v LAN 1 & internet is also in v LAN 1.

My requirement is that v LAN 1 user should not communicate with the v LAN 2 and vice versa. But the v LAN 2 users need an access of all servers and internet which is in v LAN 1. How to configure the access-list. I have try on Packet tracer which i have attached.
 
note:v LAN 2 user should get the IP from dhcp server which is in vlan1.

View 4 Replies View Related

Cisco Switching/Routing :: 4503 -MAC Access-list Extended To Only Allow Gateway Traffic

Nov 7, 2011

We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it.  The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
 
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command.  So we implemented a MAC Access-List Extended ACL.  Here is what we did
 
mac access-list extended BLAH
permit #host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out 
 
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20.  We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening.  The TUT devices are learning about MAC addresses that are on other TUT devices. 

View 1 Replies View Related

Cisco Switching/Routing :: 3560 - No Access List On Switches And No Firewall Between Sites

Jul 15, 2012

I have 3 3560 switches which are configured with trunks between them. They run vlan 10, 11 & 12. I have a 'core' switch (switch 1) of these 3 to which an MPLS router is connected on vlan12. I in addition have another switch hanging off the 'core' switch via a routed link (switch 4). I have EIGRP configured as a stub and as such the IP address on the routed link at the core switch end is of a /24 from v lan 1 on the other switch. This makes the route directly connected and therefore distributed via EIGRP stubs. Switch 1 is then exchanging routes with the MPLS router (via EIGRP).
 
The problem I have is that from any sub net on any switch (switch 1, 2 or 3) I can ping 192.168.13.1 (switch 4). When I try and ping switch 4 from over the MPLS I am unable to. If I trace to the switch I see it reaches the outside of the MPLS router, but is then unresponsive. The same applies if I try to ping switch 1 on 192.168.13.2. Any of the other IP addresses of switch 1 respond.
 
The MPLS network is a managed solution to which I have no access. I'm told that the MPLS provider is able to ping switch 1 & switch 4 on the 192.168.13.x addresses from a remote router (192.168.32.2). I have tried from a switch on the same L2 sub net (192.168.32.1) and I don't get a response.
 
From switch 4 I am able to ping the switch on 1 of it's interfaces (192.168.19.1), but not the interface I mentioned above 192.168.32.1. There are no access lists in place on the switches and no firewalls between the sites.

View 22 Replies View Related

Cisco WAN :: 1720 Router - Commands To Set Access List To Allow Access To Port 551

Nov 29, 2010

I am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.

View 14 Replies View Related

Cisco Switching/Routing :: N7K Hardware Access-list Resource Pooling Command Not Working

Nov 23, 2011

Not sure why the N7K M1 card doesn't take this command. It works on other N7K at different site. [code]

View 1 Replies View Related

Cisco Switching/Routing :: 5548 Add Access List To Both Switches Not In Config Sync Mode

Mar 21, 2012

I have two 5548's in sync mode: I have an existing ACL and I want to add a new line to it, but after I do and try to commit it states the verify failed. [code]

I have to add access list to both switches not in config sync mode.

View 1 Replies View Related

Cisco Switching/Routing :: 2800 Block Some URL That Users Have Access Through LAN

Jan 30, 2012

I wish to block some url that users have access through my LAN .That's i wish to block icmp,access towards such sites, i wish to block icmp because dns will resolve the domain and they can access through ip address.what i have in place is a cisco 2800 series routers,

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved