Solved: Re: ACL to Block Unauthorized access on C1200 Cisco Switch

test2022 · ‎03-04-2024

Hello Experts,

I have setup a Cisco 1200 series switch to connect to internet provider. Additionally i have setup a SVI(Vlan2) on C1200 switch which is connected to ISP.

Now i want allow all IPsec, port, protocol, and ssh/telnet from specific IP address to this C1200 and rest needs to be blocked.

how can i configure a ACL and apply to this SVI so that security level is tight.

sample config:

vlan database
vlan 2-3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
hostname TEXCI100
ip ssh server
ip ssh password-auth
snmp-server location Test
snmp-server community cwlesen ro view Default
snmp-server host 10.18.2.18 traps version 1 v2
no ip http server
no ip http secure-server
!
interface vlan 1
ip address 10.54.1.100 255.255.255.0
no ip address dhcp
!
interface vlan 2
ip address 58.216.234.Y 255.255.255.248
!
interface GigabitEthernet1

description *** ISP ***
switchport access vlan 2
!
interface GigabitEthernet2
description ** Firewall for IPSEC Connection ***
switchport mode trunk
switchport trunk allowed vlan 2-3
!
interface GigabitEthernet3
switchport access vlan 2
!
ip default-gateway 58.216.234.X

Thank you

BR

test2022 · ‎03-07-2024

1200 series are small business switches and it works in another way.

here is the ACL which is working for me:

management access-list To-Access
permit ip-source 10.78.19.0 mask 255.255.255.0
permit ip-source 10.88.2.0 mask 255.255.255.0
permit ip-source 160.153.246.20
!

exit
management access-class To-Access

Thanks for all your help.

View solution in original post

balaji.bandi · ‎03-04-2024

check below example :

https://community.cisco.com/t5/security-knowledge-base/configuring-interface-acls-for-vpns/ta-p/3154373

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

test2022 · ‎03-04-2024

Thank you BB but i need ACL for 1200 series Switch.

MHM Cisco World · ‎03-04-2024

I run lab Yesterday
the ACL apply to SVI dont filter traffic direct to SVI but filter traffic pass through SVI

MHM

test2022 · ‎03-04-2024

what was the acl ?

MHM Cisco World · ‎03-04-2024

deny tcp any host <SVI> eq telnet

I apply it under SVI with direction IN

then I try telnet to SVI ip and I success

MHM

Joseph W. Doherty · ‎03-05-2024

"then I try telnet to SVI ip and I success"

From the SVI's VLAN?

MHM Cisco World · ‎03-05-2024

this lab for more info
if any one have Q please ask let us exchange information about this case

thanks

Giuseppe Larosa · ‎03-05-2024

Hello @test2022 ,

to be able to filter the possible sources for SSH or telnet to the device you should apply a standard ACL under line vty using

access-list 1 remark example

access-list 1 permit host A.B.C:D

line vty 0 4

access-class 1 in

line vty 5 15

access-class 1 in

warning : even if extended ACLs are supported standard ACLs provide more predictable results and are enough for your use case

Hope to help

Giuseppe

test2022 · ‎03-07-2024

1200 series are small business switches and it works in another way.

here is the ACL which is working for me:

management access-list To-Access
permit ip-source 10.78.19.0 mask 255.255.255.0
permit ip-source 10.88.2.0 mask 255.255.255.0
permit ip-source 160.153.246.20
!

exit
management access-class To-Access

Thanks for all your help.

MHM Cisco World · ‎03-07-2024

thanks a lot for update us

MHM