Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ISO ACL Question

Posted on 2013-05-18
8
Medium Priority
?
375 Views
Last Modified: 2013-05-18
Good day,

I have a 3750 with layer 3 that is being used for some routing, so each of the VLANs has an IP.  I want to deny SSH and SNMP on all of the VLAN interfaces except for VLAN 5 in the example below.  (SSH/SNMP is permitted to targets within each of the VLANs, just not the interface). What am I missing in the code below?

I am open to suggestions, but unable to change the architecture at this point.  Thanks for your help

ip access-list extended Denyp-SSH-SNMP
 deny tcp any any eq 22
 deny tcp any any eq 161
 deny udp any any eq 161

interface vlan 2
 ip address 1.1.2.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 3
 ip address 1.1.3.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 5
 ip address 1.1.5.1 255.255.255.0 in

Open in new window

0
Comment
Question by:jchauncey60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177493
Try using "out"........ not "in".......

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP out

Your understanding of acl working for SVI is a bit flawed......
0
 

Author Comment

by:jchauncey60
ID: 39177613
Thanks for the reply, but no joy on the answer.  When I apply the ACL with 'out' I am still able to access the management console on that VLAN
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177625
1) My bad.

2) Thank god it did not work. You would be thrown out of the switch then. Your acl has no permit statement at the end. So it's as good as deny ALL. There should have been a permit ip any any at the last of the ACL. (In the future put a permit statement if you are denying anything in acl. ACL has an implicit deny all at the last)

Hopefully following would solve your issue.

##############################
ip access-list extended Denyp-SSH-SNMP
(config-ext-nacl)#permit tcp any any eq 22
(config-ext-nacl)#permit udp any any eq 161
(config-ext-nacl)#permit tcp any any eq 161

(config-ext-nacl)#vlan access-map MY_DENY
(config-access-map)#action drop
(config-access-map)#match ip address Denyp-SSH-SNMP
(config-access-map)#vlan access-map MY_DENY
(config-access-map)#action forward
(config-access-map)#exit

(config)#vlan filter MY_DENY vlan-list 2,3,4,5  (OR you can use 2-5)
##########################

Router-based Access Control List doesn't work here. We need VLAN Access Control List.

Best,
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:jchauncey60
ID: 39177659
Thanks again for the reply, still not having joy.  After implementing the code below I can still access the ssh management server on VLAN 39,40,221,496.  (It also still works on my other VLANs, 640-643 which is ok).  Other suggestions, I do appreciate the assistance?


ip access-list extended Deny_SSH_PublicIP
permit tcp any host 10.2.211.1 eq 22
permit tcp any host 10.2.212.1 eq 22
permit tcp any host 10.2.213.1 eq 22
permit tcp any host 10.2.221.1 eq 22
permit tcp any host 10.2.225.65 eq 22
exit



vlan access-map VACL_STOP_SSH_PublicIP
action drop
match ip address Deny_SSH_PublicIP
vlan access-map VACL_STOP_SSH_PublicIP
action forward
exit


vlan filter VACL_STOP_SSH_PublicIP vlan-list 39,40, 221, 496

Open in new window

0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177665
Create an ACL for SSH access to the switch and configure it on the vty lines instead of the SVIs.

Create an ACL for SNMP and apply it to the SNMP string you've configured on the switch.
0
 

Author Comment

by:jchauncey60
ID: 39177685
Craig, thanks for the response.  Can you give me an example?
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39177715
access-list 1 remark ACL for SSH
access-list 1 permit 1.1.5.0 0.0.0.255
!
access-list 2 remark ACL for SNMP
access-list 2 permit host 1.1.5.10
!
snmp-server community READ RO 2         !(this tells the SNMP string to only answer to access-list 2)
!
line vty 0 4
 transport input ssh
 access-class 1 in           !(this tells the vty lines 0-4 to use access-list 1)

Open in new window


access-list 1 will allow any host on VLAN5 to use SSH to connect to the switch.  You can allow the whole subnet (as in my example) or you can specify hosts to allow.

access-list 2 will allow only host 1.1.5.10 to connect to the switch using the READ SNMP string.

Even though we're not applying the ACLs to all the interfaces, the switch will drop all traffic from hosts not mentioned in the ACL due to the implicit deny rule at the end of the ACL.  We're tying the ACL to the protocol, so it's not interface-dependent.
0
 

Author Comment

by:jchauncey60
ID: 39177739
Craig, thanks again.  This is not exactly what I was wanting to do (allow access to VLAN 643 from anywhere) but accomplishes the task so the network scanner cannot see the open SSH port on the public IP addresses (the listed VLANs are public).

Thanks for your assistance on this...have a great day.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question