02-09-2017 09:32 AM - edited 03-08-2019 09:16 AM
Hello,
I have a 3650 L3 Cisco switch. I'm curious if someone can assist me with the following 2 questions:
1. How do I a simple search for a specific IP address or subnet on the switch to see if any VLAN has it configured already? I have a massive amount of IPs routed among several VLANs. It would be easy to do some kind of quick command search instead of skimming through the config file.
2. How do I put IP access restriction on the web GUI panel? I already have IP access restrictions set on SSH access to a couple of my local IPs, but I also want to apply the same security measure on the web GUI as well.
Thanks.
02-09-2017 09:51 AM
1 - show ip route xx.XX.XX.XX xx.xx.xx.xx
If it show a route as "direct connected" the ip range is inside a VLAN.
Create an extended ACL limiting the access for determined ranges and apply it to VLAN SVIs:
ip access-list extended 101
permit tcp xx.xx.xx.xx xx.xx.xx.xx host yy.yy.yy.yy eq 80
permit tcp xx.xx.xx.xx xx.xx.xx.xx host yy.yy.yy.yy eq 443
Where xx.xx.xx.xx is the network/wildcard mask you wanna allow to access the switch and yy.yy.yy.yy is the switch ip address
02-09-2017 10:04 AM
I forgot to put the ACL applying to the interfaces:
interface vlan XX
ip access-group 101 in
02-09-2017 11:03 AM
Thanks but that didn't seem to work. Tried from local whitelisted IP, I can access fine which it should do. However, tried from iPhone (from carrier IP, not wifi) and I can still access from there too which I shouldn't be able to.
Cisco3650#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco3650(config)#ip access-list extended 101
Cisco3650(config-ext-nacl)#permit tcp host xxx.xxx.xxx.134 host xxx.xxx.xxx.52 eq 80
Cisco3650(config-ext-nacl)#permit tcp host xxx.xxx.xxx.134 host xxx.xxx.xxx.52 eq 443
02-09-2017 12:07 PM
How is the switch connected to internet? Thru a Firewall?
02-09-2017 12:11 PM
No, direct to uplink Ethernet.
02-09-2017 03:21 PM
Hi - have you tried the following:
1
show ip interface brief | include x.x.x.x
2
ip http access-class <STANDARD-ACL>
hth
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide