Hi everyone,
I´m having a weird issue trying to block admin ports of the core switch (in this case a Cisco Catalyst 4506E) in some SVIs. By admin ports I mean ssh, http, https in the ip address of some SVI in my L3 core switch. Maybe you think about access-list in the vty lines, but that is simply not enough as I want to block also http and https pages of the core switch per certain vlan interfaces. Let´s say I have the SVI 90, where students connect to my network, obviously I dont want them to have access to my switch in any form besides like a gateway and maybe some ping traffic. Also I have the SVI 100 for management, where access to admin ports are required:
interface Vlan90
description STUDENTS
ip address 192.168.25.253 255.255.255.0
standby 2 ip 192.168.25.1
standby 2 priority 110
standby 2 preempt
end
interface Vlan100
description MANAGEMENT
ip address 10.0.0.253 255.255.255.0
standby 3 ip 10.0.0.1
standby 3 priority 110
standby 3 preempt
end
If I apply this solution (how-can-i-block-ssh-access-to-an-svi), simply does not work, as any host in the student SVI can access ssh, http and https of the management SVI in the switch (maybe it will block the rest of the IPs in the management vlan, maybe other switches, but not the L3 interface IP of the core switch).
access-list 101 deny tcp any 10.0.0.0 0.0.0.255 eq 22
access-list 101 deny tcp any 10.0.0.0 0.0.0.255 eq 80
access-list 101 deny tcp any 10.0.0.0 0.0.0.255 eq 443
access-list 101 permit ip any any
interface vlan 100
ip access-group 101 in
ip access-group 101 out
Same thing with this solution (lan-switching-and-routing/intervlan-vlan-blocking-by-acl), maybe other hosts in the management vlan get blocked, but not the management L3 in the core switch itself.
Funny thing: I applied an access-list to block any traffic in the management interface. So everything should be blocked no matter the way I apply the access-list right???:
access-list 101 ip deny any any
interface vlan 100
ip access-group 101 in
NOPE!!!!, I can still access ssh, http and https of the management SVI IP address of the core switch. That was when I decided to declare myself crazy and started seeking for help. Any support is appreciated and sorry for the long post. I include a show version of my core switch:
CORE-PRI#sh vers
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSALK9-M), Version 03.08.02.E RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 27-Jun-16 11:20 by prod_rel_team
.
.
.
ROM: 15.1(1r)SG6
System image file is "bootflash:/cat4500es8-universalk9.SPA.03.08.02.E.152-4.E2.bin"
Jawa Revision 4, RadTrooper Revision 0x0.0x41, Conan Revision 0x378D
.
Last reload reason: power-on
.
License Information for 'WS-X45-SUP8L-E'
License Level: entservices Type: Permanent
Next reboot license Level: entservices
cisco WS-C4506-E (P5040) processor (revision 2) with 4194304K bytes of physical memory.
Processor board ID FXS2025Q2M5
P5040 CPU at 1.8GHz, Supervisor 8L-E
Last reset from PowerUp
26 Virtual Ethernet interfaces
72 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2101
Thanks a lot for any help!!!!
