Easy ACL question

Toggle sidebar Toggle sidebar
GT1999

GT1999

Diamond Member
Oct 10, 1999
5,261
1
71
Setup:

Two Cisco 3750 switches connected together with a Gig Single Mode Fiber connection.

s1: 192.168.1.1 for loopback0
10.1.1.1 for GigE 1/0/4
BGP AS 100

s2: 192.168.1.2 for loopback0
10.1.1.2 for GigE 1/0/4
BGP AS 200


Nothing else is currently setup and the routes are pingable.

ACL gurus: how would I setup the two switches to ONLY talk to each other?
 
GT1999

GT1999

Diamond Member
Oct 10, 1999
5,261
1
71
I forgot to mention, they will be running BGP and are Layer 3 (I think?)

All and any traffic coming through the switches should only be allowed if it is from one of the ports on that switch or the other.

Eventually it'll be hooked up into a production network and be on the 'net with public IPs but this is for testing and I need it done by Fri lol

I've done SOME ACL work on routers but none on layer 3 switches, I didn't even know you could run BGP on a switch until today
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
A layer3 switch is nothing more than a router. Think of it as one - in other words your gig ports you issue the "no switchport" command and it is now just like a router interface. It looks like that is what you are doing on the gig interfaces.

As far as ACLs, apply them inbound and outbound on the gig interfaces. You'll need to allow for BGP, don't know what source interface for your neighboors but allow that.

Need more info to help. What vlans are defined and what are their addressing on each switch? Looks like a lab setup. DO not advertise those AS'es on the Internet. Use the private AS'es. Are these metro switches?
 
GT1999

GT1999

Diamond Member
Oct 10, 1999
5,261
1
71
Switch 1:

Switch1#sho run
Building configuratio

Current configuration : 2317 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch1
!
!
no aaa new-model
switch 1 provision ws-c3750-48ts
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface Loopback0
ip address 172.1.200.1 255.255.255.255
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface Fast
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
no switchport
ip address 10.1.1.1 255.255.255.252
!
interface Vlan1
no ip address
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 172.1.200.2 remote-as 200
no auto-summary
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 5 15
!
!
end

Switch1#






Switch 2:

Switch2#sho run
Building configuration...

Current configuration : 2327 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch2
!
!
switch 1 provision ws-c3750-48ts
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
interface Loopback0
ip address 172.1.200.2 255.255.255.255
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0
!
interface GigabitEthernet1/0/4
no switchport
ip address 10.1.1.2 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 172.1.200.0 mask 255.255.255.0
neighbor 172.1.200.1 remote-as 100
no auto-summary
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch2#

 
GT1999

GT1999

Diamond Member
Oct 10, 1999
5,261
1
71
From that config I don't think those are private ASs like you said. This is making me realize that I'm pretty rusty on Cisco minus some PIX work.

Do I have to respecify like this below? If so should I clear the BGP config? I also don't have any VLANs setup... I don't think that's necessary now but I'm sure it will be later.

Later these will need multicast setup on them also. I'll probably be getting some help on that though.


Switch 1:
ip routing
router bgp <private AS>
neighbor ip 172.1.200.2 remote-as <private AS>


Switch 2:
ip routing
router bgp <private AS>
neighbor ip 172.1.200.1 remote-as <private AS>


---


For the ACLs I was thinking these might work:

Switch 1:
access-list 1 deny any any
access-list 1 permit 172.1.200.0 0.0.0.255


Switch 2:
access-list 1 deny any any
access-list 1 permit 172.1.200.0 0.0.0.255

 
GT1999

GT1999

Diamond Member
Oct 10, 1999
5,261
1
71
Alright, I got the BGP setup with private AS's now. I had to use the

no router bgp 100 and 200, respectively and add 65100 and 65200 to replace them as they are private.

So now I just have to create access (or prefix?) lists to only allow traffic between the two. Not just BGP but any traffic including multicast. I was told I should use another /24 IP on the 2nd router to help with blocking traffic?

Then I have to add it into the test lab router and setup multicast...
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom