cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
9
Helpful
13
Replies

ACL filtering all management access to switch

perpaal
Level 1
Level 1

Hi

I have made a ACL with allow for the host witch shold be able to rech the switches and routers management interface.

# access-list 45 permit 192.168.32.25

# access-list 45 permit 192.168.32.26

# access-list 45 permit 192.168.32.30

# access-list 45 deny   any

Then I set

# line vty 0 15

# access-class 45 in

But this applies only for telnet access.

How do I apply the same ACL for all eccess methods?

13 Replies 13

Jon Marshall
Hall of Fame
Hall of Fame

edited because i was talking rubbish !

Sorry, I was a bit unclear.

I want to filter access to HTTP, HTTPS, SSH etc also...

Hi,

What I understand is that you have a Management interface (vlan 10) and filter access from other resources.

The below ACL statements would help you..

access-list 45 permit 192.168.32.25 eq 80
access-list 45 permit 192.168.32.25 eq 443
access-list 45 permit 192.168.32.25 eq 22
access-list 45 permit 192.168.32.26 eq 80
access-list 45 permit 192.168.32.26 eq 443
access-list 45 permit 192.168.32.26 eq 22
access-list 45 permit 192.168.32.30 eq 80
access-list 45 permit 192.168.32.30 eq 443
access-list 45 permit 192.168.32.30 eq 22
access-list 45 deny   any


int vlan 10
ip access-group 45 in


Please rate the helpful posts.
Regards,
Naidu.

Actually it's me that should apologise as i was completely wrong, your config is not for the console lines at all.

Jon

Hi,

# line vty 0 15
# access-class 45 in


Please rate the helpful posts.
Regards,
Naidu.

Thank you both for helping me out here

The VLAN method would work.

But in this scenario, I want to filter access to the management services.

As these switches/routers has IPs on many VLANs.

So I think it would be easier to to it like this:

# line vty 0 15

# access-class 45 in

But how do I do this on HTTP, HTTPS, SSH, SNMP etc (is there more services?)?

Hi Perpaal,

You can use the same access-list (45) and apply it under line vty 0 15.
I created those rules on ports (ssh, http, https and etc.,) which you want.
So if anyone from 192.168.32.25 trying to access your router xxx.xxx.xxx.xx they can access on only ssh, http, https only.


# line vty 0 15
# access-class 45 in


Please rate the helpful posts.
Regards,
Naidu.

I`m sorry, I do not think I explained this good.

What I try to achieve is:

On a L3 switch/router I have hundreds of VLANs.

And the device has hundreds of IP address on witch it can be reached.

When I apply the access list to the line vty interfaces, it can not be reached on all these addresse on telnet, just the ones I want.

So that works just fine.

But still I can reach it on every L3 IP address on the other services, like HTTP etc.

I want to do the same for these access methods as for telnet, is that possible?

Hi,


Yes, this should work, As per the below rules you will be access from the permitted hosts only but not from all as the last rule say deny any.

access-list 45 permit 192.168.32.25 eq 80
access-list 45 permit 192.168.32.25 eq 443
access-list 45 permit 192.168.32.25 eq 22
access-list 45 permit 192.168.32.26 eq 80
access-list 45 permit 192.168.32.26 eq 443
access-list 45 permit 192.168.32.26 eq 22
access-list 45 permit 192.168.32.30 eq 80
access-list 45 permit 192.168.32.30 eq 443
access-list 45 permit 192.168.32.30 eq 22
access-list 45 deny   any


# line vty 0 15
# access-class 45 in


Please rate the helpful posts.
Regards,
Naidu.

access-list 45 permit 192.168.32.25 eq 80

access-list 45 permit 192.168.32.25 eq 443

access-list 45 permit 192.168.32.25 eq 22

access-list 45 permit 192.168.32.26 eq 80

access-list 45 permit 192.168.32.26 eq 443

access-list 45 permit 192.168.32.26 eq 22

access-list 45 permit 192.168.32.30 eq 80

access-list 45 permit 192.168.32.30 eq 443

access-list 45 permit 192.168.32.30 eq 22

access-list 45 deny   any

# line vty 0 15

# access-class 45 in

Yes this works for telnet, but not for http and the rest

Hi,

The ACLS working fine as defined.
Actually on the line vty 0 15 you applied telnet it seems (transport input telnet) so you can not access via ssh (22)

If you want access that device via ssh (22) you need to give "transport input ssh" on the line vty.
If you want access that device via http then you need to enable "ip http server" on the router/switch but this is not secure.


Please rate the helpful posts.
Regards,
Naidu.

Ok, I will disable HTTP server then.

When setting:

# line vty 0 15

# access-class 45 in

And the HTTP server disabled, is there any other ways to reach the switch?

SNMP?

Hi,

Good...

You can reach any device router/switch through SNMP (usually will use this for monitoring and syslog like that)
To access the switch/router through SNMP you need below configuration on your device.

snmp-server community XXXX RO SNMP_ACCESS

ip access-list standard SNMP_ACCESS
permit 10.10.10.84
permit 10.10.10.50
permit 10.10.10.42


So as per the above config you can reach the switch through SNMP string XXXX and I limited the SNMP access for some hosts only (SNMP_ACCESS)

Please rate the helpful posts.
Regards,
Naidu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: