Solved

Cisco ISO ACL Question

Posted on 2013-05-18
8
366 Views
Last Modified: 2013-05-18
Good day,

I have a 3750 with layer 3 that is being used for some routing, so each of the VLANs has an IP.  I want to deny SSH and SNMP on all of the VLAN interfaces except for VLAN 5 in the example below.  (SSH/SNMP is permitted to targets within each of the VLANs, just not the interface). What am I missing in the code below?

I am open to suggestions, but unable to change the architecture at this point.  Thanks for your help

ip access-list extended Denyp-SSH-SNMP
 deny tcp any any eq 22
 deny tcp any any eq 161
 deny udp any any eq 161

interface vlan 2
 ip address 1.1.2.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 3
 ip address 1.1.3.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 5
 ip address 1.1.5.1 255.255.255.0 in

Open in new window

0
Comment
Question by:jchauncey60
  • 4
  • 2
  • 2
8 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177493
Try using "out"........ not "in".......

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP out

Your understanding of acl working for SVI is a bit flawed......
0
 

Author Comment

by:jchauncey60
ID: 39177613
Thanks for the reply, but no joy on the answer.  When I apply the ACL with 'out' I am still able to access the management console on that VLAN
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177625
1) My bad.

2) Thank god it did not work. You would be thrown out of the switch then. Your acl has no permit statement at the end. So it's as good as deny ALL. There should have been a permit ip any any at the last of the ACL. (In the future put a permit statement if you are denying anything in acl. ACL has an implicit deny all at the last)

Hopefully following would solve your issue.

##############################
ip access-list extended Denyp-SSH-SNMP
(config-ext-nacl)#permit tcp any any eq 22
(config-ext-nacl)#permit udp any any eq 161
(config-ext-nacl)#permit tcp any any eq 161

(config-ext-nacl)#vlan access-map MY_DENY
(config-access-map)#action drop
(config-access-map)#match ip address Denyp-SSH-SNMP
(config-access-map)#vlan access-map MY_DENY
(config-access-map)#action forward
(config-access-map)#exit

(config)#vlan filter MY_DENY vlan-list 2,3,4,5  (OR you can use 2-5)
##########################

Router-based Access Control List doesn't work here. We need VLAN Access Control List.

Best,
0
 

Author Comment

by:jchauncey60
ID: 39177659
Thanks again for the reply, still not having joy.  After implementing the code below I can still access the ssh management server on VLAN 39,40,221,496.  (It also still works on my other VLANs, 640-643 which is ok).  Other suggestions, I do appreciate the assistance?


ip access-list extended Deny_SSH_PublicIP
permit tcp any host 10.2.211.1 eq 22
permit tcp any host 10.2.212.1 eq 22
permit tcp any host 10.2.213.1 eq 22
permit tcp any host 10.2.221.1 eq 22
permit tcp any host 10.2.225.65 eq 22
exit



vlan access-map VACL_STOP_SSH_PublicIP
action drop
match ip address Deny_SSH_PublicIP
vlan access-map VACL_STOP_SSH_PublicIP
action forward
exit


vlan filter VACL_STOP_SSH_PublicIP vlan-list 39,40, 221, 496

Open in new window

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39177665
Create an ACL for SSH access to the switch and configure it on the vty lines instead of the SVIs.

Create an ACL for SNMP and apply it to the SNMP string you've configured on the switch.
0
 

Author Comment

by:jchauncey60
ID: 39177685
Craig, thanks for the response.  Can you give me an example?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39177715
access-list 1 remark ACL for SSH
access-list 1 permit 1.1.5.0 0.0.0.255
!
access-list 2 remark ACL for SNMP
access-list 2 permit host 1.1.5.10
!
snmp-server community READ RO 2         !(this tells the SNMP string to only answer to access-list 2)
!
line vty 0 4
 transport input ssh
 access-class 1 in           !(this tells the vty lines 0-4 to use access-list 1)

Open in new window


access-list 1 will allow any host on VLAN5 to use SSH to connect to the switch.  You can allow the whole subnet (as in my example) or you can specify hosts to allow.

access-list 2 will allow only host 1.1.5.10 to connect to the switch using the READ SNMP string.

Even though we're not applying the ACLs to all the interfaces, the switch will drop all traffic from hosts not mentioned in the ACL due to the implicit deny rule at the end of the ACL.  We're tying the ACL to the protocol, so it's not interface-dependent.
0
 

Author Comment

by:jchauncey60
ID: 39177739
Craig, thanks again.  This is not exactly what I was wanting to do (allow access to VLAN 643 from anywhere) but accomplishes the task so the network scanner cannot see the open SSH port on the public IP addresses (the listed VLANs are public).

Thanks for your assistance on this...have a great day.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Enterasys QoS setup 2 34
MPLS Network Question 2 35
The purpose of Root Bridge 7 28
Trunk port configuration for Wireless VLANs 11 55
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now