Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
0
Helpful
2
Replies

Routed Management (SSH/HTTPS) interface on an SG series (SG550XG)

80211WiGuy
Level 1
Level 1

‎01-24-2019 01:56 PM - edited ‎01-24-2019 02:02 PM

Hey Gang,

I'm used to IOS and being able to put ACLs on the TTY interface but I can't for the life of me figure out how I secure managment of this switch through a routed network.

For example:

VLAN 100

ip address 10.0.0.2 255.255.255.0

VLAN 101

ip address 10.0.1.1 255.255.255.0

VLAN 102

ip address 10.0.2.1 255.255.255.0

VLAN 1000

ip address 192.168.1.2 255.255.255.0

!

ip default-gateway 10.0.0.1

ip route 192.168.0.0 255.255.0.0 192.168.1.1 (static route for management network)

 

*Syntax above is all by hand for illustration purposes, not sure if all of this is accurate syntax.

 

I'd like the 10.x.x.x interfaces to route to the rest of the 10.0.0.0/8 network + internet, but be blocked from accessing the 192.168.0.0/16 network.  When I turn on HTTPS and SSH, it says these services are listening on ALL interfaces - any idea how to restrict these to just one interface?  The only way I can think to do it is through a lot of ACLs for each interface address.

 

EDIT:  the example above is drastically simplified I'm actually dealing with 50-100 VLANs and I'll have to hand this off to someone else later down the line who will be novice and just adding a subnet here and there.  I'm hoping to come up with something that wont require another ACL for every new interface that gets created.

 

Thanks for reading through this and hopefully something helpful comes to mind!

 

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎01-25-2019 03:40 AM - edited ‎01-25-2019 03:41 AM

you first need to enable routing

 Click IP Configuration > IPv4 Management and Interfaces > IPv4 Interface.
To enable IPv4 routing, check the Enable box

 

default-gateway config is used on a switch with no routing enabled

ip route 0.0.0.0 0.0.0.0 <gateway> with routing enabled.

 

if you want to limit access to management,

you still need to create an access-list as you are used to,

you don't put this on a TTY (vty ? ) interface , but on the management vlan interface (vlan 1000 ?)

an access-list already has an implicit (invisible) deny at the end,

but for clarity you can enter an explicit deny ip any any

so you only need to permit the hosts/networks you want to have management access

and when networks are added, the list needs no change

 

hope this helps you on your way

0 Helpful

80211WiGuy
Level 1
Level 1
In response to pieterh

‎01-25-2019 01:53 PM

Thanks for your response Pieterh.

Yes, VTY my bad.

The code on my switch might be a little different from what you're describing regarding IPv4 Routing, I think it's turned on but wont get back on the switch until Monday.  I did a little more digging last night and found something about "Management Access Method" I think I need to learn more about.  I think this in combination with an ACL to block everything from VLAN100(192.168...) should do the trick.  I'll report back again on Monday.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card