• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Cisco ISO ACL Question

Good day,

I have a 3750 with layer 3 that is being used for some routing, so each of the VLANs has an IP.  I want to deny SSH and SNMP on all of the VLAN interfaces except for VLAN 5 in the example below.  (SSH/SNMP is permitted to targets within each of the VLANs, just not the interface). What am I missing in the code below?

I am open to suggestions, but unable to change the architecture at this point.  Thanks for your help

ip access-list extended Denyp-SSH-SNMP
 deny tcp any any eq 22
 deny tcp any any eq 161
 deny udp any any eq 161

interface vlan 2
 ip address 1.1.2.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 3
 ip address 1.1.3.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 5
 ip address 1.1.5.1 255.255.255.0 in

Open in new window

0
jchauncey60
Asked:
jchauncey60
  • 4
  • 2
  • 2
1 Solution
 
surbabu140977Commented:
Try using "out"........ not "in".......

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP out

Your understanding of acl working for SVI is a bit flawed......
0
 
jchauncey60Author Commented:
Thanks for the reply, but no joy on the answer.  When I apply the ACL with 'out' I am still able to access the management console on that VLAN
0
 
surbabu140977Commented:
1) My bad.

2) Thank god it did not work. You would be thrown out of the switch then. Your acl has no permit statement at the end. So it's as good as deny ALL. There should have been a permit ip any any at the last of the ACL. (In the future put a permit statement if you are denying anything in acl. ACL has an implicit deny all at the last)

Hopefully following would solve your issue.

##############################
ip access-list extended Denyp-SSH-SNMP
(config-ext-nacl)#permit tcp any any eq 22
(config-ext-nacl)#permit udp any any eq 161
(config-ext-nacl)#permit tcp any any eq 161

(config-ext-nacl)#vlan access-map MY_DENY
(config-access-map)#action drop
(config-access-map)#match ip address Denyp-SSH-SNMP
(config-access-map)#vlan access-map MY_DENY
(config-access-map)#action forward
(config-access-map)#exit

(config)#vlan filter MY_DENY vlan-list 2,3,4,5  (OR you can use 2-5)
##########################

Router-based Access Control List doesn't work here. We need VLAN Access Control List.

Best,
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
jchauncey60Author Commented:
Thanks again for the reply, still not having joy.  After implementing the code below I can still access the ssh management server on VLAN 39,40,221,496.  (It also still works on my other VLANs, 640-643 which is ok).  Other suggestions, I do appreciate the assistance?


ip access-list extended Deny_SSH_PublicIP
permit tcp any host 10.2.211.1 eq 22
permit tcp any host 10.2.212.1 eq 22
permit tcp any host 10.2.213.1 eq 22
permit tcp any host 10.2.221.1 eq 22
permit tcp any host 10.2.225.65 eq 22
exit



vlan access-map VACL_STOP_SSH_PublicIP
action drop
match ip address Deny_SSH_PublicIP
vlan access-map VACL_STOP_SSH_PublicIP
action forward
exit


vlan filter VACL_STOP_SSH_PublicIP vlan-list 39,40, 221, 496

Open in new window

0
 
Craig BeckCommented:
Create an ACL for SSH access to the switch and configure it on the vty lines instead of the SVIs.

Create an ACL for SNMP and apply it to the SNMP string you've configured on the switch.
0
 
jchauncey60Author Commented:
Craig, thanks for the response.  Can you give me an example?
0
 
Craig BeckCommented:
access-list 1 remark ACL for SSH
access-list 1 permit 1.1.5.0 0.0.0.255
!
access-list 2 remark ACL for SNMP
access-list 2 permit host 1.1.5.10
!
snmp-server community READ RO 2         !(this tells the SNMP string to only answer to access-list 2)
!
line vty 0 4
 transport input ssh
 access-class 1 in           !(this tells the vty lines 0-4 to use access-list 1)

Open in new window


access-list 1 will allow any host on VLAN5 to use SSH to connect to the switch.  You can allow the whole subnet (as in my example) or you can specify hosts to allow.

access-list 2 will allow only host 1.1.5.10 to connect to the switch using the READ SNMP string.

Even though we're not applying the ACLs to all the interfaces, the switch will drop all traffic from hosts not mentioned in the ACL due to the implicit deny rule at the end of the ACL.  We're tying the ACL to the protocol, so it's not interface-dependent.
0
 
jchauncey60Author Commented:
Craig, thanks again.  This is not exactly what I was wanting to do (allow access to VLAN 643 from anywhere) but accomplishes the task so the network scanner cannot see the open SSH port on the public IP addresses (the listed VLANs are public).

Thanks for your assistance on this...have a great day.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now