10-18-2011 04:45 AM - edited 03-07-2019 02:52 AM
Hi
I have made a ACL with allow for the host witch shold be able to rech the switches and routers management interface.
# access-list 45 permit 192.168.32.25
# access-list 45 permit 192.168.32.26
# access-list 45 permit 192.168.32.30
# access-list 45 deny any
Then I set
# line vty 0 15
# access-class 45 in
But this applies only for telnet access.
How do I apply the same ACL for all eccess methods?
10-18-2011 04:47 AM
edited because i was talking rubbish !
10-18-2011 04:54 AM
Sorry, I was a bit unclear.
I want to filter access to HTTP, HTTPS, SSH etc also...
10-18-2011 04:59 AM
Hi,
What I understand is that you have a Management interface (vlan 10) and filter access from other resources.
The below ACL statements would help you..
access-list 45 permit 192.168.32.25 eq 80
access-list 45 permit 192.168.32.25 eq 443
access-list 45 permit 192.168.32.25 eq 22
access-list 45 permit 192.168.32.26 eq 80
access-list 45 permit 192.168.32.26 eq 443
access-list 45 permit 192.168.32.26 eq 22
access-list 45 permit 192.168.32.30 eq 80
access-list 45 permit 192.168.32.30 eq 443
access-list 45 permit 192.168.32.30 eq 22
access-list 45 deny any
int vlan 10
ip access-group 45 in
Please rate the helpful posts.
Regards,
Naidu.
10-18-2011 05:00 AM
Actually it's me that should apologise as i was completely wrong, your config is not for the console lines at all.
Jon
10-18-2011 05:05 AM
Hi,
# line vty 0 15
# access-class 45 in
Please rate the helpful posts.
Regards,
Naidu.
10-18-2011 05:08 AM
Thank you both for helping me out here
The VLAN method would work.
But in this scenario, I want to filter access to the management services.
As these switches/routers has IPs on many VLANs.
So I think it would be easier to to it like this:
# line vty 0 15
# access-class 45 in
But how do I do this on HTTP, HTTPS, SSH, SNMP etc (is there more services?)?
10-18-2011 05:24 AM
Hi Perpaal,
You can use the same access-list (45) and apply it under line vty 0 15.
I created those rules on ports (ssh, http, https and etc.,) which you want.
So if anyone from 192.168.32.25 trying to access your router xxx.xxx.xxx.xx they can access on only ssh, http, https only.
# line vty 0 15
# access-class 45 in
Please rate the helpful posts.
Regards,
Naidu.
10-18-2011 05:37 AM
I`m sorry, I do not think I explained this good.
What I try to achieve is:
On a L3 switch/router I have hundreds of VLANs.
And the device has hundreds of IP address on witch it can be reached.
When I apply the access list to the line vty interfaces, it can not be reached on all these addresse on telnet, just the ones I want.
So that works just fine.
But still I can reach it on every L3 IP address on the other services, like HTTP etc.
I want to do the same for these access methods as for telnet, is that possible?
10-18-2011 06:15 AM
Hi,
Yes, this should work, As per the below rules you will be access from the permitted hosts only but not from all as the last rule say deny any.
access-list 45 permit 192.168.32.25 eq 80
access-list 45 permit 192.168.32.25 eq 443
access-list 45 permit 192.168.32.25 eq 22
access-list 45 permit 192.168.32.26 eq 80
access-list 45 permit 192.168.32.26 eq 443
access-list 45 permit 192.168.32.26 eq 22
access-list 45 permit 192.168.32.30 eq 80
access-list 45 permit 192.168.32.30 eq 443
access-list 45 permit 192.168.32.30 eq 22
access-list 45 deny any
# line vty 0 15
# access-class 45 in
Please rate the helpful posts.
Regards,
Naidu.
10-18-2011 06:43 AM
access-list 45 permit 192.168.32.25 eq 80
access-list 45 permit 192.168.32.25 eq 443
access-list 45 permit 192.168.32.25 eq 22
access-list 45 permit 192.168.32.26 eq 80
access-list 45 permit 192.168.32.26 eq 443
access-list 45 permit 192.168.32.26 eq 22
access-list 45 permit 192.168.32.30 eq 80
access-list 45 permit 192.168.32.30 eq 443
access-list 45 permit 192.168.32.30 eq 22
access-list 45 deny any
# line vty 0 15
# access-class 45 in
Yes this works for telnet, but not for http and the rest
10-18-2011 07:08 AM
Hi,
The ACLS working fine as defined.
Actually on the line vty 0 15 you applied telnet it seems (transport input telnet) so you can not access via ssh (22)
If you want access that device via ssh (22) you need to give "transport input ssh" on the line vty.
If you want access that device via http then you need to enable "ip http server" on the router/switch but this is not secure.
Please rate the helpful posts.
Regards,
Naidu.
10-18-2011 07:47 AM
Ok, I will disable HTTP server then.
When setting:
# line vty 0 15
# access-class 45 in
And the HTTP server disabled, is there any other ways to reach the switch?
SNMP?
10-18-2011 10:56 PM
Hi,
Good...
You can reach any device router/switch through SNMP (usually will use this for monitoring and syslog like that)
To access the switch/router through SNMP you need below configuration on your device.
snmp-server community XXXX RO SNMP_ACCESS
ip access-list standard SNMP_ACCESS
permit 10.10.10.84
permit 10.10.10.50
permit 10.10.10.42
So as per the above config you can reach the switch through SNMP string XXXX and I limited the SNMP access for some hosts only (SNMP_ACCESS)
Please rate the helpful posts.
Regards,
Naidu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: