Cisco IOS, restrict IP addresses per ethernet port #

access-control-listciscoiospvlanvlan

I am configuring a Cisco 881, and am interested in restricting individual ports on the LAN (FastEthernet 0-3). I would like to be able to limit the IP addresses that someone can use based on which port they are connected to.

This way IP ACLs in another location can be used to determine whether the user was physically connected using the correct cable before the TCP connection is established.

Best Answer

If you create one VLAN per physical switch port (the 881 seems to support up to 8 VLANs), you can give each VLAN a separate ip subnet. For example:

f0 has VLAN 100 and subnet 192.168.0.0/24
f1 has VLAN 101 and subnet 192.168.1.0/24
f2 has VLAN 102 and subnet 192.168.2.0/24
f3 has VLAN 103 and subnet 192.168.3.0/24

i.e. if a connection is made from 192.168.2.65 you will know it connected through VLAN 102 and interface f2.

The syntax for assigning VLANs to interfaces is described here and seems to be:

Router(config)# Interface fastethernet2
Router(config-if)# switchport access vlan 102
Router(config-if)# no shutdown
Router(config-if)# end

The syntax for assigning an ip address to a VLAN interface (i.e. the default gateway address for the clients) is seen throughout the configuration guide and seems to be in configured form:

Interface Vlan102
  ip address 192.168.2.254 255.255.255.0

More info on VLANs can be found here and on subnetting here.

Best Answer

Related Solutions

Firewall – VLAN ACLs and when to go Layer 3

Cisco IOS: Segregating VLANS

Related Topic