Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
806
Views
0
Helpful
3
Replies

Limit switch access (telnet, http)

gbonivento
Level 1
Level 1

‎08-23-2006 03:37 AM - edited ‎03-03-2019 04:39 AM

Situation: c3750 Layer3 switch acting as router for my LAN, with several (more than 40) L3 virtual interfaces.

Target: I want to permit access to the switch only from some L3 interfaces (these with an @ip 10.255.x.x) and deny telnet/http request on other interfaces (with @ip 10.252.x.x). For telnet, I putted on the switch the following commands:

Switch(config)#access-list 101 permit ip any 10.255.0.0 0.0.255.255 log

Switch(config)#access-list 101 deny ip any any log

Switch(config-line)#access-class 101 in

Problem:

- telnet traffic is blocked on ALL interfaces

- if I try a telnet from a PC (10.255.10.100) to the switch (10.255.10.1) I see the following syslog message:

Aug 23 13:36:49: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.255.10.100(1709) -> 0.0.0.0(23), 1 packet

Why destination IP address is 0.0.0.0?

Second question: how can I activate the same filter on http access (ip http access-class accepts only standard access-lists, therefore I cannot check destination IP address)?

Labels:
0 Helpful
3 Replies 3

mmorris11
Level 4
Level 4

‎08-23-2006 04:00 AM

Giovanni,

You access list is producinging unintended results. You list actually says: "If you come from anywhere you can do ip to 10.255.0.0 0.0.255.255". What you probably want is the opposite. Standard access lists are most effective for restricting this type of access because it eliminates this confusion. You don't need extended lists to limit access to vty. The destination is irrelevant because the packet is not getting routed through. On this basis the standard list poses no limitation for your http access control. Standard lists are good for vty, http, snmp-server restrictions. As far as the 0.0.0.0 destination, I do not know why this was stripped out. Probably due to the fact that the packet is destined for the switch.

HTH

Pls rate if helpful!

0 Helpful

gbonivento
Level 1
Level 1
In response to mmorris11

‎08-23-2006 04:31 AM

Hi Mike,

thanks for your reply, but it doesn't help me. I try to explain my situation a little bit more in details:

- two routing domains on the same switch (vrf active)

- therefore the destination IP address where I initiate the telnet session is important. I want to deny telnet/http in one of these routing domains (the one with IP addressese 10.252.x.x)

Hope it's a little bit more clear ...

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame

‎08-23-2006 08:22 AM

The destination is shown as 0.0.0.0 because the line vty interface is unnumbered. As Mike mentioned, you can't include a destination IP on an access-class because the vty interface has no ip .

If you want to permit/deny traffic from some L3 interfaces, you need to apply the ACL on those interfaces, not the entire switch as intended with access-class.

Please rate helpful posts.

Thanks

0 Helpful
Top