04-03-2003 01:21 PM
We have CSS11800 switches in a remote data center, and needed to have telnet and ssh access blocked from the Internet, but still allow it from the management port. It's a simple access-list thing, but maybe it'll save time for the next person.
acl enable
acl xx
clause 10 deny tcp any destination any eq 22
clause 11 deny tcp any destination any eq 23
( insert additional clauses for other protocols you wish to block (icmp, snmp, etc. ) )
clause 99 permit any any destination any
apply circuit-vlanyy (where yy is the internet-facing circuit)
That should do it. You type "show acl xx" to see the hits on the individual clauses. This was done with 3.10 and 4.xx firmware. Your mileage may vary. Sterling Commerce is not responsible for these comments. And so on. :-)
Luke
04-04-2003 02:49 AM
thanks for this information.
04-07-2003 06:59 AM
After some contemplation, I believe the destination address "any" may be too broad for this work. If you're just trying to block telnet/ssh to this particular switch, it should look like this (if the IP address of this switch is 111.222.111.22, and is sitting on the VLAN facing the Internet):
clause 10 deny tcp any destination 111.222.111.22 eq telnet log
clause 11 deny tcp any destination 111.222.111.22 eq 22 log
clause 99 permit any any destination any
apply circuit-(VLAN1)
It was thought that if devices on the same VLAN or devices behind the CSS needed to be accessed via telnet/ssh, this access list may block them. This revised ACL just blocks telnet/ssh to the switch itself. Again, tested with 3.10 and 4.xx firmware.
Luke
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide