1

We're hosting Dedicated Servers and are currently using old 3com switches with IP-based ACLs. So each port has an ACL that allows all IP addresses assigned to this customer, and blocks everything else.

But now 3com was bought by HP, and the follow-up model only supports basic ACL that aren't flexible enough to both allow certain IPs while blocking others. Looking at other switches in a similar price-range, we've found that most of them have similar problems or don't offer any ACL features at all.

I assume this could also somehow be done with VLANs, but if I understand this correctly we'd still need some kind of ACL to actually specify the valid IP addresses for each port.

What do you use to make sure your customers don't use unassigned IP addresses? Or what switches can you recommend that have flexible ACL functionality?

toupeira
  • 121
  • 2

1 Answers1

3

Working in a mainly Cisco shop here, and even the most basic of 29XX series support ACLs. It's as simple as adding an access list at the top like:

ip access-list standard Fa01
 permit 192.0.2.1
 permit 192.0.2.2

And then in the config for the Fa0/1 interface

interface FastEthernet0/1
 ip access-group fa01 in

There are undoubtedly plenty more switches by other manufacturers that can do it, but I can recommend Cisco for the job.

Niall Donegan
  • 3,859
  • 19
  • 17
  • Thanks, actually we got a Cisco switch to test last week (not sure about the model) but I didn't see anything like this in the webinterface, and being accustomed to crappy firmware I didn't bother to check out the CLI ;-) But in this case we'll definitely take another look at it! – toupeira Jan 13 '11 at 19:13
  • 1
    In general the CLI tends to be decent on Cisco devices. Don't know about the Linksys/Cisco though! – Niall Donegan Jan 13 '11 at 19:15