Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19539
Views
40
Helpful
9
Replies

ACL to block management on all but one VLAN interface

Go to solution
timstumbo
Level 1
Level 1

‎11-08-2017 11:57 AM - edited ‎03-08-2019 12:40 PM

Our core switch handles all our VLAN interfaces and you can telnet to the switch using any one of the VLAN interface IP addresses. I would like to lock this down so that you can only access the core switch using the management VLAN interface IP address. I found some documentation online on this but it doesn't seem to be working so I would like to get y'alls opinion. 

 

The management VLAN IP scheme is 10.15.10.0

 

I created a standard ACL: 
Standard IP access list 20
10 permit 10.15.10.0, wildcard bits 0.0.0.255

I then applied to ACL in the VTY line:
line vty 0 4
access-class 20 out

I applied the ACL but I'm still able to telnet to the switch using any of the VLAN interface IPs. 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sigurbjartur Helgason
Level 1
Level 1

‎11-09-2017 07:39 AM - edited ‎11-09-2017 08:20 AM

Hi timstumbo,

As a general rule, I avoid using interface ACLs for protecting network equipment. On some platforms or in environments with a lot of traffic, using an interface ACL can negatively impact network throughput since every packet that needs to be routed to a different VLAN needs to be parsed against every entry in the list before being switched to the egress interface, not just the packets matching the ACEs in the list. That's not to say you should never use interface ACLs, only that you should avoid them if there are other ways.

To avoid having to do that, Cisco provides two methods for performing this task. The first one is the access-class on the terminal line and the other one is control plane policing (CoPP).

While CoPP is more powerful and very useful in defending against DoS attacks directed at the box, it's also more complex and requires more planning and insight into the traffic that needs to go to the CPU.

Therefore I suggest you use the access-class method.

First of all, direction "out" is only used for connections egressing the line. If this was a serial line or an AUX port connected to a modem, that would make sense but for VTYs you only ever use the "in" direction.

Try this:

ip access-list standard management-stations
 remark Management network
 permit x.x.x.x 0.0.0.255

line vty 0 4
 access-class management-stations in

Put the IP network where your management workstation resides in place of the x.x.x.x and also change the wildcard if needed.

This will prevent anyone from connecting to the VTY lines, from any source IP network, other than the one specified in the list.

View solution in original post

9 Replies 9

Go to solution
BradEast1
Level 3
Level 3

‎11-08-2017 01:11 PM

Try "access-class 20 in", rather than "out".

Go to solution
timstumbo
Level 1
Level 1
In response to BradEast1

‎11-08-2017 01:56 PM

When I apply the ACL as "In" it blocks me from connecting. I'm assuming if I changed my IP address to the 10.15.10.0 subnet it would let me in because that's whats defined in the ACL. 

I could be wrong but I believe "Out" is the correct direction, I just must be missing something else. 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-08-2017 04:04 PM

Try this example:

vlan 10 and 11 are the other vlans

access-list 101 deny ip any 10.15 10 0.0.0.255 (this is the mgmt subnet)

access-list 101 permit any

interface vlan 10 

access-group 101 in

interface vlan 11

access-group 101 in

HTH

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎11-08-2017 04:42 PM

 

Hi,

 

Using access-lists on the VTY lines you can decide which IP addresses are allowed to remotely connect and which are not allowed. What you want to achieve could not be achieved using access-list on the VTY lines. To limit which interfaces are listening for telnet/ssh traffic, you will need to apply access-lists on each SVI interface. I know it is tedious, but that is the way to do it. 

 

Also, avoid using telnet if possible; it is not secured at all. Use SSH instead (if your switch supports it).

 

HTH,

Meheretab

HTH,
Meheretab

Go to solution
timstumbo
Level 1
Level 1
In response to Meheretab Mengistu

‎11-09-2017 06:22 AM

Thanks for the response. Not all of our switches have the security images on them yet so I have to finish upgrading them before switching over to SSH. 

 

What about about setting up an ACL on each SVI that blocks port 22 and 23? Wouldn't that be easier than doing it by IP address? 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to timstumbo

‎11-09-2017 07:53 AM

Sure, but it would block those ports for all traffic using those ports.

What's often done is to use an "in" ACL on the VTY controlling what subnets can send to the device. Normally only certain source subnets are allowed access. I haven't tried it, but perhaps you could use an extended ACL to restrict access to only your management network, with, or without, also controlling source networks.

E.g.:
ip access-list 101 permit any 10.15.10.0 0.0.0.255

line vty 0 4
access-class 101 in

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to timstumbo

‎11-09-2017 08:14 AM

 

Hi Tim,

What about about setting up an ACL on each SVI that blocks port 22 and 23? Wouldn't that be easier than doing it by IP address? 

 When you block tcp ports 22 & 23 from any to any, you will block all traffic traversing through the SVI. The best way is to block those ports from any to the SVIs IP addresses
 
HTH,
Meheretab
 

 

HTH,
Meheretab

Go to solution
Sigurbjartur Helgason
Level 1
Level 1

‎11-09-2017 07:39 AM - edited ‎11-09-2017 08:20 AM

Hi timstumbo,

As a general rule, I avoid using interface ACLs for protecting network equipment. On some platforms or in environments with a lot of traffic, using an interface ACL can negatively impact network throughput since every packet that needs to be routed to a different VLAN needs to be parsed against every entry in the list before being switched to the egress interface, not just the packets matching the ACEs in the list. That's not to say you should never use interface ACLs, only that you should avoid them if there are other ways.

To avoid having to do that, Cisco provides two methods for performing this task. The first one is the access-class on the terminal line and the other one is control plane policing (CoPP).

While CoPP is more powerful and very useful in defending against DoS attacks directed at the box, it's also more complex and requires more planning and insight into the traffic that needs to go to the CPU.

Therefore I suggest you use the access-class method.

First of all, direction "out" is only used for connections egressing the line. If this was a serial line or an AUX port connected to a modem, that would make sense but for VTYs you only ever use the "in" direction.

Try this:

ip access-list standard management-stations
 remark Management network
 permit x.x.x.x 0.0.0.255

line vty 0 4
 access-class management-stations in

Put the IP network where your management workstation resides in place of the x.x.x.x and also change the wildcard if needed.

This will prevent anyone from connecting to the VTY lines, from any source IP network, other than the one specified in the list.

Go to solution
Sigurbjartur Helgason
Level 1
Level 1

‎11-09-2017 08:02 AM - edited ‎11-09-2017 08:04 AM

Sorry, I submitted the same response twice by mistake and I can't delete it.

My apologies

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card