ACL on SVI

Similar Messages

• Fundamental ACL & Service Policy related questions

  Hi All,
  apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
  I have a VERY simple topology like so
                                                                                      A few servers in this VLAN
  ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                      ASA5520 <--> Internal VLAN
  With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
  then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
  Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
  Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
  Thanks in advance

  The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
  ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
  ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
  -- Jim Leinweber, WI State Lab of Hygiene

• Acl issue in L3 Switch SVI

  HI
  I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
  I have a L3 switch with 3 vlans
  Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
  Vlan 10 - Server-Vlan - 172.16.10.1/24
  Vlan 11 - User-Vlan - 172.16.11.1/24
  I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
  I want all in my network to access any thing outside the network.
  i tried to configure acl as below-
  access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
  int vlan 1
  ip add 172.16.1.1 255.255.255.0
  ip access-group 101 in
  When i am trying from outisde (172.16.100.1) -
  Ping 172.16.10.1 - Good (expected)
  Ping 172.16.11.1 - NOT (expected)
  When I am trying to ping from inside Server-Vlan (172.16.10.1)
  Ping 172.16.100.1 - Good
  The problem -
  When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
  what is wrong happening here in this scenario?
  regards
  Sunny

  Hi Jon,
  I was working on the ACL for the above issue. i have found the below thigs-
  int vlan 1
  des Routing vlan
  ip 172.16.1.1 255.255.255.0
  ip access-group 110 in
  int vlan 10
  des server vlan
  ip 172.16.10.1 255.255.255.0
  int vlan 11
  des Users
  ip add 172.16.11.1 255.255.255.0
  ip access-group 100 in
  acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
  And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  what i understood,
  for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
  for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
  But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
  If i call inbound means the traffic coming in to that vlan initerface from Outside
  If i call outbound means the traffic that going out through that interface.
  so i ddint call any acl in outbound direction as of now.
  Dear Jon, thanks for taking time to describing the scenario in detail before.
  please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
  Thanks and Regards
  Suuny

• SVI ACLs?

         On an SG300-28MP I have 4 VLANS and I want to isolate the guest wi-fi vlan using an acl but I'm not having any luck
  SHOW VLANCreated by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLANVlan       Name                   Ports               Created by   
  1           1         gi1-10,gi22-25,gi27-28,            D        
                         Po1-8                                       
  25         AMX              gi13-17,gi22-28              S        
  50     Guest-WiFi               gi22-25                  S        
  100       Cameras        gi11-12,gi18-25,gi27-28          S         SG300-28MP#SHOW ACCESS-LISTSExtended IP access list DENY-GUESTS-OUT
      deny    ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
      permit  ip any any
  Extended IP access list DENY-GUESTS-IN
      permit  ip 192.168.188.0 255.255.255.0 host 192.168.185.1
      deny    ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
      permit  ip any any
  Extended IP access list DENY-GUESTS-PORT
      permit  ip 192.168.188.0 0.0.0.255 192.168.185.0 0.0.3.255
      permit  ip any anySG300-28MP#SHOW INTERFACES ACCESS-LISTSInterface                  ACLs    
  gi22               Ingress: DENY-GUESTS-PORT   
  gi23               Ingress: DENY-GUESTS-PORT   
  gi24               Ingress: DENY-GUESTS-PORT   
  vlan 1             Ingress: DENY-GUESTS-IN   
  vlan 25            Ingress: DENY-GUESTS-IN   
  vlan 50            Ingress: DENY-GUESTS-OUT   
  vlan 100           Ingress: DENY-GUESTS-IN    SG300-28MP#show ip routeMaximum Parallel Paths: 1 (1 after reset)
  IP Forwarding: enabled
  Codes: > - best, C - connected, S - static
  S   0.0.0.0/0 [1/1] via 192.168.185.1, 07:57:21, vlan 1                   
  C   192.168.185.0/24 is directly connected, vlan 1                        
  C   192.168.186.0/24 is directly connected, vlan 25                       
  C   192.168.187.0/24 is directly connected, vlan 100                      
  C   192.168.188.0/24 is directly connected, vlan 50                        SG300-28MP#SHOW IP INTERFACE
      IP Address         I/F      I/F Status      Type     Directed   Precedence   Status   
                                  admin/oper               Broadcast                        
  192.168.185.254/24  vlan 1     UP/UP         Static      disable    No         Valid      
  192.168.186.254/24  vlan 25    UP/UP         Static      disable    No         Valid      
  192.168.187.254/24  vlan 100   UP/UP         Static      disable    No         Valid      
  192.168.188.254/24  vlan 50    UP/UP         Static      disable    No         Valid       SG300-28MP#
          I've been using the web interface for config and after seeing the cli output of "SHOW INTERFACES ACCESS-LISTS" I see the ACLs are strictly ingress only so that solves some of my confusion.     This "vlan 50            Ingress: DENY-GUESTS-OUT  " is pointless since it's ingress only but I wasn't sure when I added it in. 
  I would think this config would work but if I open vlan 50 web interface and ping to a host in any other vlan it responds. 
  I do have an RV320 on a stick with routes to each vlan interface and I also have  "inter vlan routing" enabled on all vlans.  I've tried with out this but I then can't launch the vlan management web page.
  I'm working offsite so may be it does work if I'm a client on the guest netowrk since I have ACLs on gi 22-23 which are my wi-fi trunks and I'm thinking that's where the ACLs should be but I'd like to know why the other ACLs don't that are assigned to the vlans and why I can ping from the web page when logged into VLAN 50's management interface.  I haven't found any good youtube video on this subject and what is available is all IOS which is a bit different.

  Yeah that 255.255.255.0 was a mistake.  I think I've made some sense of it all now. 
  1st, the RV320 just needs the routes for all vlans in advanced routing not "Intervlan routing" enabled in Port Management > VLAN membership to allow me to access through my vpn. That bothered me since that's what using L3 mode of the SG300 was for.
  2nd, I had the idea in my head that inter-vlan flow would go from a source into its vlan and out through the "switch/router" and then into the dest vlan and then out of that vlan to its destination.  Even though it's all under the same hood I thought there was logical segments in the flow.  This flawed thinking would then give me an in and an out on each vlan in the path to place the ACL if both in and outs were supported.  Of course only ingress is supported so I still was thinking the ACL could go on either vlan cuz in my head they both had "ins" in the flows path. 
  I now believe that in regard to flow vlans are nothing more than another port of the switch, its just isn't physical there and you can't physically conect to it so flow can only go from the source into its vlan and then out the dest vlan to the destination, there's nothing flow wise in between that would provide the "out" on the source vlan and the "in" on the dest vlan.  This thinking then only allows me one palce to put the ACL if only ingress is ACLs are permitted.
  Now the reason I wasn't seeing the ACLs work is because pinging from the vlan occurs after "ingress" from with in the vlan so only pinging from a host on the vlan would actually get filtered by an ACL ingress filter. I was able to test this theory on another vlan that had a host that could initiate pings.
  SG300-28MP#show access-lists
  Extended IP access list DENY-GUESTS-IN
      deny    ip 192.168.188.0 0.0.0.255 192.168.185.2 0.0.0.254
      deny    ip 192.168.188.0 0.0.0.255 192.168.186.0 0.0.1.255
      permit  ip any any
  SG300-28MP#SHOW INTERFACES ACCESS-LISTS
  Interface                  ACLs    
  gi22               Ingress: DENY-GUESTS-IN   
  gi23               Ingress: DENY-GUESTS-IN   
  gi24               Ingress: DENY-GUESTS-IN   
  vlan 50            Ingress: DENY-GUESTS-IN   
  SG300-28MP#
  I still have the ACLs on the interface ports that my wi-fi APs connect to.  I saw on a youtube tutorial that said extended ACLs should go as close to the source as possible so is it better to put them on the wi-fi trunk ports and delete the vlan ACL or should I delete the port ACLs and just leave the vlan ACL?  Could leave both but then the switch has to work harder.
  My 1st deny allows only the gateway IP from my .188 vlan and the 2nd deny should block the .186 and .187 from .188.  At least that's what I think that mask should do.  Now for guest clients on the .188 (vlan 50) do I need to allow any ports to allow them access to the internet?  I have no clients on that vlan to test from remotely to see if they can surf the internet with out further permits.

• ACL SVI

   Hi Experts..
  I have a L3 switch (4506) in which i have created a vlan interface(VLAN-110) with below ip detail. L3 switch connected to L2 switch which has ports on vlan 100 to which machines are connected.
  int vlan 110
  ip address 10.110.160.0 255.255.255.0 secondary
  ip address 10.110.170.0 255.255.255.0
  I have two machines,  machine-A has ip adress 10.110.170.50 and  machine-B has ip 10.110.160.55. Now i want  machine-A should not have connectivity to machine-B. So should applying ACL and calling this ACL over vlan110 interface would block communication. Is this best practice to do. Or we can do this in another recommended way. Pls help.

  Depends what you are trying to do.
  vlan 10 = 192.168.5.0/24
  access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23
  access-list 101 permit ip 192.168.5.0 0.0.0.255 any
  int vlan 10
  ip address 192.168.5.1 255.255.255.0
  ip access-group 101 in
  So the above config does 2 things
  1) It stops any machine on vlan 10 intiating a telnet connect to any other machine on another subnet
  2) It then allows all traffic from any machine on vlan 10 to any other machine. All traffic is any IP traffic other than telnet.
  What this access-list does not do is stop any machine on any subnet (other than vlan 10) initiating a telnet connection to machines in vlan 10. If you wanted to do that -
  access-list 102 deny any 192.168.5.0 0.0.0.255 eq 23
  access-list 102 permit ip any 192.168.5.0 0.0.0.255
  int vlan 10
  ip access-group 102 out
  So it entirely depends on what traffic you are trying to restrict and in which direction.
  Jon

• Routing issue: SVI vs Firewall interface

  Greetings
  I have several switches interconnected in my network and multiple VLANs configured with SVI assigned to each. InterVLAN routing works just fine. The switchport connected to corporate firewall is the first port on the main switch (interface GigabitEthernet1/0/1 I recon).
  The firewall is VLAN unaware and it is managed by third party; I do not have access to it. The firewall is configured to route below two ranges only, and that is fine:
  155.111.215.254/25 (servers)
  10.15.245.254/24 (end users)
  In my network, these ranges are broken down to sub-ranges and assigned VLAN ip address. Other ranges that I have in my network (192.168.x.x) are used by peripheral devices within LAN only and do not need to reach the firewall (neither internet).
  So here is the problem I have:
  If I point end user machines and servers to corresponding firewall interfaces (assign default gateway accordingly), they can reach each other and have access to internet. But they would not be able to reach peripheral devices in 192.168.x.x range which are pointed to respective VLAN IP address (SVI).
  If I point end user machines and servers to respective VLAN IP address, they would reach peripheral devices, but there would be no connection to the internet. So what I need is access to internet for computers with ip address within firewall configured range, but with SVI as the default gateway rather than the firewall interfaces.  
  My request to add each VLAN to the firewall was rejected because it would cost money.
  For a workaround, I wonder whether there is something to do with the switchport connected to the firewall, or it is adding some rules on the firewall I need (like NAT). If it is the latter, then how to make a proper request to the firewall management team.
  I would appreciate a suggestion on how to deal with this.  Many thanks.
  PS: Attaching main switch config file just in case.

  Hi,
  You can tweak something in the firewall to make this work... you can have the firewall has the gateway for all VLAN's.... you can do NAT exemption in the firewall to reach those pheripheral devices.... and you should have the route from the firewall to reach that and access-list should allow that......
  same-security-traffic permit intra interface - to permit access to flow through same interface......
  Make sure you are able to reach those pheripheral vlan from ASA 1st... then do setp by step.... acl's, NAT exemption, same-sec., route... route shouwld be pointed to core devices, since that has the direct connectviity from pheripheral devices VLAN...
  Regards
  Karthik

• ACE30 - PING to VIP and Client side SVI not working

  Hi Guys,
  Having setup the ACE30 based on the configuration guides, I've been able to get basic load balancing working, probes, stickness etc.  However in testing connectivty, I've noticed that from the real server on the backend I cannot seem to PING:
  1. The VIP for the web service that the server is a part of
  2. The Client side SVI
  I'd like this to work to ensure full connectivity.
  I've applied ACLs to the Client side SVI (on the ACE) to allow this in both directions, and also removed any ACLs attached to the client side SVI on the MSFC where the subnet is actually homed.  However I just cannot seem to PING the Client side SVI on the ACE, or the VIP.  Trying to understand if this is normal behavior.
  Have inserted my config below for completeness.
  ACE30 Config
  login timeout 60
  hostname ACE1
  boot system image:c6ace-t1k9-mz.A90_6_3_5.bin
  boot system image:c6ace-t1k9-mz.A4_1_0.bin
  resource-class RC_1
    limit-resource all minimum 10.00 maximum unlimited
  access-list all line 8 extended permit ip any any
  access-list v6-any line 8 extended permit ip anyv6 anyv6
  class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
    5 match protocol https any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
      permit
  interface vlan 768
    description Management connectivity
    ip address 10.20.40.72 255.255.255.0
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.20.40.254
  context VC_1
    allocate-interface vlan 11
    allocate-interface vlan 186
    member RC_1
  username admin password 5 $1$STizNv5q$i96.Qrt4C4SfHkbLyVT74.  role Admin domain default-domain
  username www password 5 $1$ZAn8bOtv$xmmNlH8akF6iYfXdQCKMo1  role Admin domain default-domain
  ssh key rsa1 1024 force
  ! VC_1
  ACE1/VC_1# sh run
  probe http HTTP_PROBE1
    interval 15
    passdetect interval 60
    expect status 200 200
    open 1
  rserver host RS_MONASH_WEB1
    description Test Monash Web Server 1
    ip address 10.194.27.177
    inservice
  serverfarm host SF_MONASH_WEB
    probe HTTP_PROBE1
    rserver RS_MONASH_WEB1 80
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKY_MONASH_WEB
    timeout 3600
    serverfarm SF_MONASH_WEB
  class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol ssh any
    3 match protocol telnet any
    4 match protocol icmp any
    5 match protocol https any
  class-map match-all VS_MONASH_WEB
    2 match virtual-address 10.194.11.1 tcp eq www
  access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit ip any any
  access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit icmp any any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match PM_MONASH_WEB_LB
    class class-default
      sticky-serverfarm STICKY_MONASH_WEB
  policy-map multi-match PM_MULTI_MATCH_CLIENT_VIP
    class VS_MONASH_WEB
      loadbalance vip inservice
      loadbalance policy PM_MONASH_WEB_LB
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  interface vlan 11
    description Client connectivity on Vlan 11
    ip address 10.194.11.250 255.255.255.0
    access-group input ALLOW_TRAFFIC_TOWARDS_ACE
    access-group out ALLOW_TRAFFIC_TOWARDS_ACE       ! not sure if this is required as well?
    service-policy input PM_MULTI_MATCH_CLIENT_VIP
    no shutdown
  interface vlan 186
    description CSM www monash
    ip address 10.194.27.189 255.255.255.240
    access-group input ALLOW_TRAFFIC_TOWARDS_ACE    ! not sure if this is required?
    access-group out ALLOW_TRAFFIC_TOWARDS_ACE      ! not sure if this is required?
    ip dhcp relay server 130.194.15.17
    ip dhcp relay server 130.194.15.1
    ip dhcp relay enable
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.194.11.254
  6500s
  ! test-clay1-gw - ACE connects to this 6500
  svclc multiple-vlan-interfaces
  svclc module 2 vlan-group 2
  svclc vlan-group 2  11,171-499,768
  ! test-clay0-gw - Where Client side subnet, VLAN11 is homed
  interface Vlan11
  description Testlab server subnet
  ip address 10.194.11.253 255.255.255.0
  no shut
  ip route 10.194.27.176 255.255.255.240 10.194.11.250
  thanks
  Sheldon

  To ping your VIP of the webserver, you should apple the service-policy input command on VLAN 186 too. Currently the VIP only listens on VLAN 11. For the SVI i think that was forbidden by security reason, but i cant remember anymore. Maybe you just need to put the management policy on the interface VLAN 186. If it dont work, then my first guess was right

• Which direction should ACL be applied

  Hello there,
  I'm adding ACLs to lock down the LAN environment and my core is a 4510+R.  I want to block port 80, 443 and 8080 from coming INTO the network.  My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back  in.   I want to use an extended access-list the likes of:
  ip access-list extended NO_HTTP
  deny tcp any any eq 80
  deny tcp any any eq 443
  deny tcp any any eq 8080
  permit ip any any
  My confusion is:  which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible.  With an SVI, that seems like a grey area?
  Any kind of clarification on this would be most helpful and appreciative.
  Thanks very much in advance,
  Kiley

  I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.

• Route Map Policy on SVI - Trunk from ESX

  Hi,
  I have a question regarding the following configuration.
  A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
  A route map policy is applied on this SVI (int vlan 10)
  A server on this subnet is running on ESX which is connected to the switch on a trunk port.
  The ESX host tags all frames from this server as VLAN 10.
  In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
  Thanks for any help.

  Hi Alex,
  It's a 3750x (stack) with 12.2(55)SE5.
  I've already changed the SDM template to routing and rebooted the switch.
  I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
  Thanks again.
  Extended IP access list UPLINK2
      10 permit ip 192.168.1.0 0.0.0.255 any
      20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
  route-map ROUTE1 permit 10
   match ip address UPLINK2
   set ip next-hop 10.1.1.253
  interface Vlan10
   ip address 192.168.5.254 255.255.254.0
   ip policy route-map ROUTE1
  end

• Network management security - Switches and SVIs

  Hello all.
  I have created a management vlan on my 4506. There are also other SVIs for other VLANs. I understand configuring access-lists for the management vlan as well as for all vty lines limiting to an IT VLAN for example.  How can I remove telnet or SSH access from the other SVIs?
  I have found documentation on best practices for the management vlan but can't find anything on disabling telnet and ssh from the other vlan interfaces.
  I imagine an access list just blocking the ports?  What would you suggest?
  Thanks in advance.

  Hello all.
  I
  have created a management vlan on my 4506. There are also other SVIs
  for other VLANs. I understand configuring access-lists for the
  management vlan as well as for all vty lines limiting to an IT VLAN for
  example.  How can I remove telnet or SSH access from the other SVIs?
  I
  have found documentation on best practices for the management vlan but
  can't find anything on disabling telnet and ssh from the other vlan
  interfaces.
  I imagine an access list just blocking the ports?  What would you suggest?
  Thanks in advance.
  Hi,
  If you have decided the source ip from where the telnet or ssh is allowed you can use access class configuration with acl applied on line vty which will only permit the particular host to telnet or ssh into device.
  Following is the example for access class hope to help !!
  The following example defines an access list that permits only hosts on  network 192.89.55.0 to connect to the virtual terminal ports on the  router:
  access-list 12 permit 192.89.55.0  0.0.0.255
  line 1 5
  access-class 12 in
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Catalyst 3750 and ACL

  Hello. We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL. What should we check?  What are we missing here?
  Please see attached file
  Thanks in Advance
  interface Vlan64
  ip address 10.147.64.254 255.255.255.0
  ip access-group 134 in
  access-list 134 permit udp any any eq bootpc log
  access-list 134 permit udp any any eq bootps log
  access-list 134 permit ip any 172.30.146.0 0.0.0.255
  access-list 134 permit ip any 172.23.146.0 0.0.0.255
  access-list 134 permit ip any 10.146.137.0 0.0.0.63
  access-list 134 permit ip any 10.146.137.128 0.0.0.63
  access-list 134 permit ip any host 10.146.81.240 log
  access-list 134 permit ip any host 10.146.46.250
  access-list 134 permit ip any host 10.146.46.157
  access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.46.228
  access-list 134 permit ip 10.147.64.0 0.0.0.255 host 10.146.137.99
  access-list 134 deny   ip any 192.168.0.0 0.0.255.255
  access-list 134 permit tcp any host 172.27.72.27 eq www
  access-list 134 deny   ip any 172.16.0.0 0.15.255.255
  “The next entry generates a log when I try RDP from 10.146.40.29 to 10.147.64.39”
  access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log
  access-list 134 deny   ip any host 98.139.60.248 log
  access-list 134 permit ip any any
  access-list 134 permit icmp any any
  "This is the log showed"
  25w6d: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.147.64.38(3389) -> 10.146.40.
  29(1150), 1 packet

  What you are missing is a statement in the access list to permit traffic to the subnet of 10.146.40.0. Since there is no statement to permits this traffic then the line access-list 134 deny   ip any 10.0.0.0 0.255.255.255 log denies the traffic as it should.
  To fix this problem you need to add a statement in the access list before that line to permit the traffic. The line might look something like this:
  access-list 134 permit ip any 10.146.40.0 0.0.0.255
  HTH
  Rick

• Apply ACL on vlan

         Amended the post     
  Hello
  can someone guide how to  apply access-list to a vlan
  office_A connect to Office_B on different floors on vlan 10
  need to allow inbond and outbond traffic
  Config of Office_A and host
  VLAN
  int vlan 10
  ip address 192.168.177.254 255.255.255.252
  Allow the following host to communicate with host of Office_B
  host 192.168.110 port 443
  host 192.168.1.16
  network 192.168.25.0/24
  Network of Office_B
  allow following host to communicate with hos of Office_A
  192.168.100.10  port 443
  1192.168.100.17
  192.168.27.0/24
  plz guide with right inbond / outbond acl to apply on SVI
  thanks
  Vishal

  Just to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
  I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
  Best Regards,
  Islam M. Nadim

• ACL's and VLan interfaces

  I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.

  A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
  The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
  The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces.

• Router ACL and Port ACL

  how to find out after looking at the ACl that this is router acl and this is port acl.
  is there is any syntax difference between these two acl's? or these two look the same.

  how to find out after looking at the ACl that this is router acl and this is port acl.
  It depends on where the ACL is applied:
  Layer-3 interface (SVI, routed port): Router ACL
  Layer-2 interface (physical switch interfaces): Port ACL
  is there is any syntax difference between these two acl's?
  Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
  Link: c3560 Configuring Network Security with ACLs

• ACL applied to Vlan interfaces

  I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
  It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
  I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
  Is there some method to quickly know when these ACL should be applied in one direction or another?
  Thanks for your time.

  It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.