ACL on SVI
Hi All,
I have two vlans on Switch with SVIs, One is Server vlan (Vlan 10) other is User vlan (Van 20), Now i want to just allow SSH/WEB traffice from Server and RST/ACK for outgoing traffic from Server Vlan.
Please find the config for vlans
Vlan 10
ip add 10.10.10.1 255.255.255.0
Vlan 20
ip add 20.20.20.1 255.255.255.0
ip access-list extended VLAN10-SSH/WEB-IN
permit tcp 20.20.20.0 0 0.0.255 10.10.10.0 0.0.0.255 eq 22
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 443
ip access-list extended VLAN10-RST/ACK-OUT
permit tcp any any established
i want to apply on server vlan (Vlan10)
int vlan 10
ip access-group VLAN10-SSH/WEB-IN -- ?? - what should be direction
ip access-group VLAN10-RST/ACK-OUT -- ?? what should be direction
Thansk in advance
Jagdev
hey!! apply ssh/web-in in the inbound direction & ack/out rule in the outound direction!!!
Similar Messages
-
Fundamental ACL & Service Policy related questions
Hi All,
apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
I have a VERY simple topology like so
A few servers in this VLAN
ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
ASA5520 <--> Internal VLAN
With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
Thanks in advanceThe mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace". On goes to syslog, "no logging debug-trace" goes to console. I've been bit by this one myself.
ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else. On Catalyst switches port ACLs are inbound (receiving packets) only. Obviously, on directly connected devices, one devices out is the other devices in.
ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions. However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied. I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
-- Jim Leinweber, WI State Lab of Hygiene -
HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
SunnyHi Jon,
I was working on the ACL for the above issue. i have found the below thigs-
int vlan 1
des Routing vlan
ip 172.16.1.1 255.255.255.0
ip access-group 110 in
int vlan 10
des server vlan
ip 172.16.10.1 255.255.255.0
int vlan 11
des Users
ip add 172.16.11.1 255.255.255.0
ip access-group 100 in
acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
what i understood,
for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
If i call inbound means the traffic coming in to that vlan initerface from Outside
If i call outbound means the traffic that going out through that interface.
so i ddint call any acl in outbound direction as of now.
Dear Jon, thanks for taking time to describing the scenario in detail before.
please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
Thanks and Regards
Suuny -
On an SG300-28MP I have 4 VLANS and I want to isolate the guest wi-fi vlan using an acl but I'm not having any luck
SHOW VLANCreated by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLANVlan Name Ports Created by
1 1 gi1-10,gi22-25,gi27-28, D
Po1-8
25 AMX gi13-17,gi22-28 S
50 Guest-WiFi gi22-25 S
100 Cameras gi11-12,gi18-25,gi27-28 S SG300-28MP#SHOW ACCESS-LISTSExtended IP access list DENY-GUESTS-OUT
deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any any
Extended IP access list DENY-GUESTS-IN
permit ip 192.168.188.0 255.255.255.0 host 192.168.185.1
deny ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any any
Extended IP access list DENY-GUESTS-PORT
permit ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
permit ip any anySG300-28MP#SHOW INTERFACES ACCESS-LISTSInterface ACLs
gi22 Ingress: DENY-GUESTS-PORT
gi23 Ingress: DENY-GUESTS-PORT
gi24 Ingress: DENY-GUESTS-PORT
vlan 1 Ingress: DENY-GUESTS-IN
vlan 25 Ingress: DENY-GUESTS-IN
vlan 50 Ingress: DENY-GUESTS-OUT
vlan 100 Ingress: DENY-GUESTS-IN SG300-28MP#show ip routeMaximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.185.1, 07:57:21, vlan 1
C 192.168.185.0/24 is directly connected, vlan 1
C 192.168.186.0/24 is directly connected, vlan 25
C 192.168.187.0/24 is directly connected, vlan 100
C 192.168.188.0/24 is directly connected, vlan 50 SG300-28MP#SHOW IP INTERFACE
IP Address I/F I/F Status Type Directed Precedence Status
admin/oper Broadcast
192.168.185.254/24 vlan 1 UP/UP Static disable No Valid
192.168.186.254/24 vlan 25 UP/UP Static disable No Valid
192.168.187.254/24 vlan 100 UP/UP Static disable No Valid
192.168.188.254/24 vlan 50 UP/UP Static disable No Valid SG300-28MP#
I've been using the web interface for config and after seeing the cli output of "SHOW INTERFACES ACCESS-LISTS" I see the ACLs are strictly ingress only so that solves some of my confusion. This "vlan 50 Ingress: DENY-GUESTS-OUT " is pointless since it's ingress only but I wasn't sure when I added it in.
I would think this config would work but if I open vlan 50 web interface and ping to a host in any other vlan it responds.
I do have an RV320 on a stick with routes to each vlan interface and I also have "inter vlan routing" enabled on all vlans. I've tried with out this but I then can't launch the vlan management web page.
I'm working offsite so may be it does work if I'm a client on the guest netowrk since I have ACLs on gi 22-23 which are my wi-fi trunks and I'm thinking that's where the ACLs should be but I'd like to know why the other ACLs don't that are assigned to the vlans and why I can ping from the web page when logged into VLAN 50's management interface. I haven't found any good youtube video on this subject and what is available is all IOS which is a bit different.Yeah that 255.255.255.0 was a mistake. I think I've made some sense of it all now.
1st, the RV320 just needs the routes for all vlans in advanced routing not "Intervlan routing" enabled in Port Management > VLAN membership to allow me to access through my vpn. That bothered me since that's what using L3 mode of the SG300 was for.
2nd, I had the idea in my head that inter-vlan flow would go from a source into its vlan and out through the "switch/router" and then into the dest vlan and then out of that vlan to its destination. Even though it's all under the same hood I thought there was logical segments in the flow. This flawed thinking would then give me an in and an out on each vlan in the path to place the ACL if both in and outs were supported. Of course only ingress is supported so I still was thinking the ACL could go on either vlan cuz in my head they both had "ins" in the flows path.
I now believe that in regard to flow vlans are nothing more than another port of the switch, its just isn't physical there and you can't physically conect to it so flow can only go from the source into its vlan and then out the dest vlan to the destination, there's nothing flow wise in between that would provide the "out" on the source vlan and the "in" on the dest vlan. This thinking then only allows me one palce to put the ACL if only ingress is ACLs are permitted.
Now the reason I wasn't seeing the ACLs work is because pinging from the vlan occurs after "ingress" from with in the vlan so only pinging from a host on the vlan would actually get filtered by an ACL ingress filter. I was able to test this theory on another vlan that had a host that could initiate pings.
SG300-28MP#show access-lists
Extended IP access list DENY-GUESTS-IN
deny ip 192.168.188.0 0.0.0.255 192.168.185.2 0.0.0.254
deny ip 192.168.188.0 0.0.0.255 192.168.186.0 0.0.1.255
permit ip any any
SG300-28MP#SHOW INTERFACES ACCESS-LISTS
Interface ACLs
gi22 Ingress: DENY-GUESTS-IN
gi23 Ingress: DENY-GUESTS-IN
gi24 Ingress: DENY-GUESTS-IN
vlan 50 Ingress: DENY-GUESTS-IN
SG300-28MP#
I still have the ACLs on the interface ports that my wi-fi APs connect to. I saw on a youtube tutorial that said extended ACLs should go as close to the source as possible so is it better to put them on the wi-fi trunk ports and delete the vlan ACL or should I delete the port ACLs and just leave the vlan ACL? Could leave both but then the switch has to work harder.
My 1st deny allows only the gateway IP from my .188 vlan and the 2nd deny should block the .186 and .187 from .188. At least that's what I think that mask should do. Now for guest clients on the .188 (vlan 50) do I need to allow any ports to allow them access to the internet? I have no clients on that vlan to test from remotely to see if they can surf the internet with out further permits. -
Hi Experts..
I have a L3 switch (4506) in which i have created a vlan interface(VLAN-110) with below ip detail. L3 switch connected to L2 switch which has ports on vlan 100 to which machines are connected.
int vlan 110
ip address 10.110.160.0 255.255.255.0 secondary
ip address 10.110.170.0 255.255.255.0
I have two machines, machine-A has ip adress 10.110.170.50 and machine-B has ip 10.110.160.55. Now i want machine-A should not have connectivity to machine-B. So should applying ACL and calling this ACL over vlan110 interface would block communication. Is this best practice to do. Or we can do this in another recommended way. Pls help.Depends what you are trying to do.
vlan 10 = 192.168.5.0/24
access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
int vlan 10
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
So the above config does 2 things
1) It stops any machine on vlan 10 intiating a telnet connect to any other machine on another subnet
2) It then allows all traffic from any machine on vlan 10 to any other machine. All traffic is any IP traffic other than telnet.
What this access-list does not do is stop any machine on any subnet (other than vlan 10) initiating a telnet connection to machines in vlan 10. If you wanted to do that -
access-list 102 deny any 192.168.5.0 0.0.0.255 eq 23
access-list 102 permit ip any 192.168.5.0 0.0.0.255
int vlan 10
ip access-group 102 out
So it entirely depends on what traffic you are trying to restrict and in which direction.
Jon -
Routing issue: SVI vs Firewall interface
Greetings
I have several switches interconnected in my network and multiple VLANs configured with SVI assigned to each. InterVLAN routing works just fine. The switchport connected to corporate firewall is the first port on the main switch (interface GigabitEthernet1/0/1 I recon).
The firewall is VLAN unaware and it is managed by third party; I do not have access to it. The firewall is configured to route below two ranges only, and that is fine:
155.111.215.254/25 (servers)
10.15.245.254/24 (end users)
In my network, these ranges are broken down to sub-ranges and assigned VLAN ip address. Other ranges that I have in my network (192.168.x.x) are used by peripheral devices within LAN only and do not need to reach the firewall (neither internet).
So here is the problem I have:
If I point end user machines and servers to corresponding firewall interfaces (assign default gateway accordingly), they can reach each other and have access to internet. But they would not be able to reach peripheral devices in 192.168.x.x range which are pointed to respective VLAN IP address (SVI).
If I point end user machines and servers to respective VLAN IP address, they would reach peripheral devices, but there would be no connection to the internet. So what I need is access to internet for computers with ip address within firewall configured range, but with SVI as the default gateway rather than the firewall interfaces.
My request to add each VLAN to the firewall was rejected because it would cost money.
For a workaround, I wonder whether there is something to do with the switchport connected to the firewall, or it is adding some rules on the firewall I need (like NAT). If it is the latter, then how to make a proper request to the firewall management team.
I would appreciate a suggestion on how to deal with this. Many thanks.
PS: Attaching main switch config file just in case.Hi,
You can tweak something in the firewall to make this work... you can have the firewall has the gateway for all VLAN's.... you can do NAT exemption in the firewall to reach those pheripheral devices.... and you should have the route from the firewall to reach that and access-list should allow that......
same-security-traffic permit intra interface - to permit access to flow through same interface......
Make sure you are able to reach those pheripheral vlan from ASA 1st... then do setp by step.... acl's, NAT exemption, same-sec., route... route shouwld be pointed to core devices, since that has the direct connectviity from pheripheral devices VLAN...
Regards
Karthik -
ACE30 - PING to VIP and Client side SVI not working
Hi Guys,
Having setup the ACE30 based on the configuration guides, I've been able to get basic load balancing working, probes, stickness etc. However in testing connectivty, I've noticed that from the real server on the backend I cannot seem to PING:
1. The VIP for the web service that the server is a part of
2. The Client side SVI
I'd like this to work to ensure full connectivity.
I've applied ACLs to the Client side SVI (on the ACE) to allow this in both directions, and also removed any ACLs attached to the client side SVI on the MSFC where the subnet is actually homed. However I just cannot seem to PING the Client side SVI on the ACE, or the VIP. Trying to understand if this is normal behavior.
Have inserted my config below for completeness.
ACE30 Config
login timeout 60
hostname ACE1
boot system image:c6ace-t1k9-mz.A90_6_3_5.bin
boot system image:c6ace-t1k9-mz.A4_1_0.bin
resource-class RC_1
limit-resource all minimum 10.00 maximum unlimited
access-list all line 8 extended permit ip any any
access-list v6-any line 8 extended permit ip anyv6 anyv6
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol https any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 768
description Management connectivity
ip address 10.20.40.72 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.20.40.254
context VC_1
allocate-interface vlan 11
allocate-interface vlan 186
member RC_1
username admin password 5 $1$STizNv5q$i96.Qrt4C4SfHkbLyVT74. role Admin domain default-domain
username www password 5 $1$ZAn8bOtv$xmmNlH8akF6iYfXdQCKMo1 role Admin domain default-domain
ssh key rsa1 1024 force
! VC_1
ACE1/VC_1# sh run
probe http HTTP_PROBE1
interval 15
passdetect interval 60
expect status 200 200
open 1
rserver host RS_MONASH_WEB1
description Test Monash Web Server 1
ip address 10.194.27.177
inservice
serverfarm host SF_MONASH_WEB
probe HTTP_PROBE1
rserver RS_MONASH_WEB1 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKY_MONASH_WEB
timeout 3600
serverfarm SF_MONASH_WEB
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol telnet any
4 match protocol icmp any
5 match protocol https any
class-map match-all VS_MONASH_WEB
2 match virtual-address 10.194.11.1 tcp eq www
access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit ip any any
access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit icmp any any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match PM_MONASH_WEB_LB
class class-default
sticky-serverfarm STICKY_MONASH_WEB
policy-map multi-match PM_MULTI_MATCH_CLIENT_VIP
class VS_MONASH_WEB
loadbalance vip inservice
loadbalance policy PM_MONASH_WEB_LB
service-policy input REMOTE_MGMT_ALLOW_POLICY
interface vlan 11
description Client connectivity on Vlan 11
ip address 10.194.11.250 255.255.255.0
access-group input ALLOW_TRAFFIC_TOWARDS_ACE
access-group out ALLOW_TRAFFIC_TOWARDS_ACE ! not sure if this is required as well?
service-policy input PM_MULTI_MATCH_CLIENT_VIP
no shutdown
interface vlan 186
description CSM www monash
ip address 10.194.27.189 255.255.255.240
access-group input ALLOW_TRAFFIC_TOWARDS_ACE ! not sure if this is required?
access-group out ALLOW_TRAFFIC_TOWARDS_ACE ! not sure if this is required?
ip dhcp relay server 130.194.15.17
ip dhcp relay server 130.194.15.1
ip dhcp relay enable
no shutdown
ip route 0.0.0.0 0.0.0.0 10.194.11.254
6500s
! test-clay1-gw - ACE connects to this 6500
svclc multiple-vlan-interfaces
svclc module 2 vlan-group 2
svclc vlan-group 2 11,171-499,768
! test-clay0-gw - Where Client side subnet, VLAN11 is homed
interface Vlan11
description Testlab server subnet
ip address 10.194.11.253 255.255.255.0
no shut
ip route 10.194.27.176 255.255.255.240 10.194.11.250
thanks
SheldonTo ping your VIP of the webserver, you should apple the service-policy input command on VLAN 186 too. Currently the VIP only listens on VLAN 11. For the SVI i think that was forbidden by security reason, but i cant remember anymore. Maybe you just need to put the management policy on the interface VLAN 186. If it dont work, then my first guess was right
-
Which direction should ACL be applied
Hello there,
I'm adding ACLs to lock down the LAN environment and my core is a 4510+R. I want to block port 80, 443 and 8080 from coming INTO the network. My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back in. I want to use an extended access-list the likes of:
ip access-list extended NO_HTTP
deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 8080
permit ip any any
My confusion is: which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible. With an SVI, that seems like a grey area?
Any kind of clarification on this would be most helpful and appreciative.
Thanks very much in advance,
KileyI think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.
-
Route Map Policy on SVI - Trunk from ESX
Hi,
I have a question regarding the following configuration.
A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
A route map policy is applied on this SVI (int vlan 10)
A server on this subnet is running on ESX which is connected to the switch on a trunk port.
The ESX host tags all frames from this server as VLAN 10.
In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
Thanks for any help.Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end -
Network management security - Switches and SVIs
Hello all.
I have created a management vlan on my 4506. There are also other SVIs for other VLANs. I understand configuring access-lists for the management vlan as well as for all vty lines limiting to an IT VLAN for example. How can I remove telnet or SSH access from the other SVIs?
I have found documentation on best practices for the management vlan but can't find anything on disabling telnet and ssh from the other vlan interfaces.
I imagine an access list just blocking the ports? What would you suggest?
Thanks in advance.Hello all.
I
have created a management vlan on my 4506. There are also other SVIs
for other VLANs. I understand configuring access-lists for the
management vlan as well as for all vty lines limiting to an IT VLAN for
example. How can I remove telnet or SSH access from the other SVIs?
I
have found documentation on best practices for the management vlan but
can't find anything on disabling telnet and ssh from the other vlan
interfaces.
I imagine an access list just blocking the ports? What would you suggest?
Thanks in advance.
Hi,
If you have decided the source ip from where the telnet or ssh is allowed you can use access class configuration with acl applied on line vty which will only permit the particular host to telnet or ssh into device.
Following is the example for access class hope to help !!
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255
line 1 5
access-class 12 in
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
Hello. We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL. What should we check? What are we missing here?
Please see attached file
Thanks in Advance
interface Vlan64
ip address 10.147.64.254 255.255.255.0
ip access-group 134 in
access-list 134 permit udp any any eq bootpc log
access-list 134 permit udp any any eq bootps log
access-list 134 permit ip any 172.30.146.0 0.0.0.255
access-list 134 permit ip any 172.23.146.0 0.0.0.255
access-list 134 permit ip any 10.146.137.0 0.0.0.63
access-list 134 permit ip any 10.146.137.128 0.0.0.63
access-list 134 permit ip any host 10.146.81.240 log
access-list 134 permit ip any host 10.146.46.250
access-list 134 permit ip any host 10.146.46.157
access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.46.228
access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.137.99
access-list 134 deny ip any 192.168.0.0 0.0.255.255
access-list 134 permit tcp any host 172.27.72.27 eq www
access-list 134 deny ip any 172.16.0.0 0.15.255.255
“The next entry generates a log when I try RDP from 10.146.40.29 to 10.147.64.39”
access-list 134 deny ip any 10.0.0.0 0.255.255.255 log
access-list 134 deny ip any host 98.139.60.248 log
access-list 134 permit ip any any
access-list 134 permit icmp any any
"This is the log showed"
25w6d: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.147.64.38(3389) -> 10.146.40.
29(1150), 1 packetWhat you are missing is a statement in the access list to permit traffic to the subnet of 10.146.40.0. Since there is no statement to permits this traffic then the line access-list 134 deny ip any 10.0.0.0 0.255.255.255 log denies the traffic as it should.
To fix this problem you need to add a statement in the access list before that line to permit the traffic. The line might look something like this:
access-list 134 permit ip any 10.146.40.0 0.0.0.255
HTH
Rick -
Amended the post
Hello
can someone guide how to apply access-list to a vlan
office_A connect to Office_B on different floors on vlan 10
need to allow inbond and outbond traffic
Config of Office_A and host
VLAN
int vlan 10
ip address 192.168.177.254 255.255.255.252
Allow the following host to communicate with host of Office_B
host 192.168.110 port 443
host 192.168.1.16
network 192.168.25.0/24
Network of Office_B
allow following host to communicate with hos of Office_A
192.168.100.10 port 443
1192.168.100.17
192.168.27.0/24
plz guide with right inbond / outbond acl to apply on SVI
thanks
VishalJust to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
Best Regards,
Islam M. Nadim -
I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.
A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces. -
how to find out after looking at the ACl that this is router acl and this is port acl.
is there is any syntax difference between these two acl's? or these two look the same.how to find out after looking at the ACl that this is router acl and this is port acl.
It depends on where the ACL is applied:
Layer-3 interface (SVI, routed port): Router ACL
Layer-2 interface (physical switch interfaces): Port ACL
is there is any syntax difference between these two acl's?
Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
Link: c3560 Configuring Network Security with ACLs -
ACL applied to Vlan interfaces
I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
Is there some method to quickly know when these ACL should be applied in one direction or another?
Thanks for your time.It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.
Maybe you are looking for
-
How to render a message as soon as page is rendered.
Hi, My requirement is i want to render a message, as a popup or something, as soon as page is rendered. The thing is I dont have any events for this. Is there any way to do it? Thanks, Lalit. Edited by: 856216 on May 31, 2011 6:49 AM
-
My home button has been broken for almost 7 months, now, and I have been using the assistive touch, but, today, my roommate accidentally shut my iPod off using the Lock button, and now I cannot turn it back on. Is there a way to do this? Help!
-
Save for web - wrong name on file
Hi experts...Thanks so much for reading this. Really appreciate. Here is one: Summary: saved slice has the name of the previous version of the file plus slice number, and not the name given to the slice. Details: Starting with a Photoshop file called
-
System error in routin ZAV_VERBUCHUNG
Pessoal, bom dia. Alguém pode me ajudar a decifrar este erro: System error in routin ZAV_VERBUCHUNG Tenho uma nota que esta com erro no validador... O erro esta no cadastro do cliente, extamente no Postal Code. Quando entro na VD02 e tento salvar com
-
Can not make srtp call to CISCO-GW
Hi, There are one CISCO2821 and one CISCO3845. Both of them are configured with SRTP. They can make calls to the third-party phone with SRTP. But both gateways can not accept any call if I set them to use SRTP only. Even if the 2 gateways call each o