Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
6
Replies

Cisco 3650: Need 2 Things

BashedRoot
Level 2
Level 2

‎02-09-2017 09:32 AM - edited ‎03-08-2019 09:16 AM

Hello,

I have a 3650 L3 Cisco switch. I'm curious if someone can assist me with the following 2 questions:

1. How do I a simple search for a specific IP address or subnet on the switch to see if any VLAN has it configured already? I have a massive amount of IPs routed among several VLANs. It would be easy to do some kind of quick command search instead of skimming through the config file.

2. How do I put IP access restriction on the web GUI panel? I already have IP access restrictions set on SSH access to a couple of my local IPs, but I also want to apply the same security measure on the web GUI as well.

Thanks.

Labels:
0 Helpful
6 Replies 6

rafael.alves
Level 1
Level 1

‎02-09-2017 09:51 AM

1 - show ip route xx.XX.XX.XX xx.xx.xx.xx

If it show a route as "direct connected" the ip range is inside a VLAN.

Create an extended ACL limiting the access for determined ranges and apply it to VLAN SVIs:

ip access-list extended 101

permit tcp xx.xx.xx.xx xx.xx.xx.xx host yy.yy.yy.yy eq 80

permit tcp xx.xx.xx.xx xx.xx.xx.xx host yy.yy.yy.yy eq 443

Where xx.xx.xx.xx is the network/wildcard mask you wanna allow to access the switch and yy.yy.yy.yy is the switch ip address

0 Helpful

rafael.alves
Level 1
Level 1
In response to rafael.alves

‎02-09-2017 10:04 AM

I forgot to put the ACL applying to the interfaces:

interface vlan XX
 ip access-group 101 in

0 Helpful

BashedRoot
Level 2
Level 2
In response to rafael.alves

‎02-09-2017 11:03 AM

Thanks but that didn't seem to work. Tried from local whitelisted IP, I can access fine which it should do. However, tried from iPhone (from carrier IP, not wifi) and I can still access from there too which I shouldn't be able to.

Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco3650(config)#ip access-list extended 101                       
Cisco3650(config-ext-nacl)#permit tcp host xxx.xxx.xxx.134 host xxx.xxx.xxx.52 eq 80 
Cisco3650(config-ext-nacl)#permit tcp host xxx.xxx.xxx.134 host xxx.xxx.xxx.52 eq 443
0 Helpful

rafael.alves
Level 1
Level 1
In response to BashedRoot

‎02-09-2017 12:07 PM

How is the switch connected to internet? Thru a Firewall?

0 Helpful

BashedRoot
Level 2
Level 2
In response to rafael.alves

‎02-09-2017 12:11 PM

No, direct to uplink Ethernet.

0 Helpful

andrewswanson
Level 7
Level 7
In response to BashedRoot

‎02-09-2017 03:21 PM

Hi - have you tried the following:

1
show ip interface brief | include x.x.x.x

2
ip http access-class <STANDARD-ACL>

hth

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card