ā03-04-2024 07:21 AM - edited ā03-04-2024 07:39 AM
Hello Experts,
I have setup a Cisco 1200 series switch to connect to internet provider. Additionally i have setup a SVI(Vlan2) on C1200 switch which is connected to ISP.
Now i want allow all IPsec, port, protocol, and ssh/telnet from specific IP address to this C1200 and rest needs to be blocked.
how can i configure a ACL and apply to this SVI so that security level is tight.
sample config:
vlan database
vlan 2-3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
hostname TEXCI100
ip ssh server
ip ssh password-auth
snmp-server location Test
snmp-server community cwlesen ro view Default
snmp-server host 10.18.2.18 traps version 1 v2
no ip http server
no ip http secure-server
!
interface vlan 1
ip address 10.54.1.100 255.255.255.0
no ip address dhcp
!
interface vlan 2
ip address 58.216.234.Y 255.255.255.248
!
interface GigabitEthernet1
description *** ISP ***
switchport access vlan 2
!
interface GigabitEthernet2
description ** Firewall for IPSEC Connection ***
switchport mode trunk
switchport trunk allowed vlan 2-3
!
interface GigabitEthernet3
switchport access vlan 2
!
ip default-gateway 58.216.234.X
Thank you
BR
Solved! Go to Solution.
ā03-07-2024 12:24 AM
1200 series are small business switches and it works in another way.
here is the ACL which is working for me:
management access-list To-Access
permit ip-source 10.78.19.0 mask 255.255.255.0
permit ip-source 10.88.2.0 mask 255.255.255.0
permit ip-source 160.153.246.20
!
exit
management access-class To-Access
Thanks for all your help.
ā03-04-2024 09:28 AM
check below example :
ā03-04-2024 09:22 PM
Thank you BB but i need ACL for 1200 series Switch.
ā03-04-2024 09:51 PM
I run lab Yesterday
the ACL apply to SVI dont filter traffic direct to SVI but filter traffic pass through SVI
MHM
ā03-04-2024 09:52 PM
what was the acl ?
ā03-04-2024 10:18 PM
deny tcp any host <SVI> eq telnet
I apply it under SVI with direction IN
then I try telnet to SVI ip and I success
MHM
ā03-05-2024 07:01 AM
"then I try telnet to SVI ip and I success"
From the SVI's VLAN?
ā03-05-2024 10:15 PM - edited ā03-05-2024 10:16 PM
this lab for more info
if any one have Q please ask let us exchange information about this case
thanks
ā03-05-2024 03:23 AM
Hello @test2022 ,
to be able to filter the possible sources for SSH or telnet to the device you should apply a standard ACL under line vty using
access-list 1 remark example
access-list 1 permit host A.B.C:D
line vty 0 4
access-class 1 in
line vty 5 15
access-class 1 in
warning : even if extended ACLs are supported standard ACLs provide more predictable results and are enough for your use case
Hope to help
Giuseppe
ā03-07-2024 12:24 AM
1200 series are small business switches and it works in another way.
here is the ACL which is working for me:
management access-list To-Access
permit ip-source 10.78.19.0 mask 255.255.255.0
permit ip-source 10.88.2.0 mask 255.255.255.0
permit ip-source 160.153.246.20
!
exit
management access-class To-Access
Thanks for all your help.
ā03-07-2024 12:25 AM
thanks a lot for update us
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide