Re: VLAN Interface IP protection - Opened Ports

Serpent2010 · ‎08-25-2022

Hello everyone,

Q1) How can I block ports such as 443 on the VLAN x interface IP?

1) I tried ACL on the Inbound & Outbound of the VLAN x but it does not work.

2) Physical router (who hosts the VLAN X interface IP) has been configured to allow port 443 BUT on the different VLAN the management VLAN. This allowed port 443 on the physical router management is used for the web management not for VLAN x.

Any advice, please

Rob Ingram · ‎08-25-2022

@Serpent2010 define an ACL permitting/denying the relevant traffic then assign that ACL to the http server - "ip http access-class ACL-NAME" that should restrict http/https server traffic on the device.

Serpent2010 · ‎08-25-2022

Thanks for the quick reply, and that's working for the physical box http/https config but it does not work for the interface VLAN X IP.

In other words, the ACL will work perfectly for the management VLAN but it does not work for the VLAN x

I can redo the test to double check, if you want me to do that

MHM Cisco World · ‎08-25-2022

If the traffic is direct to VLAN then ACL not work, the ACL work for traffic pass through VLAN SVI no traffic direct to VLAN SVI.
you need CoPP OR
check the ip route, see the traffic come from and apply ACL IN in the next-hop not in VLAN SVI.

Serpent2010 · ‎08-25-2022

You are correct and I will work on your suggestion, it is very interesting, to see if it will work as expected.

Many thanks

MHM Cisco World · ‎08-25-2022

You are so so welcome