05-06-2013 11:52 AM - edited 03-07-2019 01:12 PM
Hi All,
Here's the base setup:
Here's what I want to achieve:
Here's how I tried to accomplish it:
I loose connectivity immediately after applying the list.. I noticed originally that my vPC peer link died with this application, and that that might be causing the problem, so I added entries to include the peer link ports, and it worked like a charm.. so .. the problem still remains why I cannot SSH to the switch with such a basic ACL applied??
Thanks in advance for any insight into this issue!
Kindest Regards,
ALAN
Solved! Go to Solution.
05-06-2013 12:50 PM
You probably meant the peer keep alive link and not the peer link don't you? Else I don't have an explanation why an ACL on your mgmt interface should have an impact on other interfaces.
First, your ACL is wrong. With "permit 22" you allow protocol type 22 and not tcp/22. Try this:
permit tcp host 10.132.6.145 host 10.132.5.37 eq 22
However this will again kill your vPC keep-alives, snmp and whatever else is received on the mgmt interface. If all you want to do is to restrict vty access this could be achieved in an easier way without interfering with other management traffic:
line vty
access-class 100 in
ip access-list 100
10 permit ip host 10.132.6.145 any
Regards
Pille
05-06-2013 12:50 PM
You probably meant the peer keep alive link and not the peer link don't you? Else I don't have an explanation why an ACL on your mgmt interface should have an impact on other interfaces.
First, your ACL is wrong. With "permit 22" you allow protocol type 22 and not tcp/22. Try this:
permit tcp host 10.132.6.145 host 10.132.5.37 eq 22
However this will again kill your vPC keep-alives, snmp and whatever else is received on the mgmt interface. If all you want to do is to restrict vty access this could be achieved in an easier way without interfering with other management traffic:
line vty
access-class 100 in
ip access-list 100
10 permit ip host 10.132.6.145 any
Regards
Pille
05-06-2013 03:55 PM
Hey Pille,
Thanks so much for your help, it's been great! You know as simple as it is I didn't even think about the vty lines, everything kept centering around the physical interface 'mgmt0' so I just assumed the application would be on that interface. It makes total sense now to use an access-class on them to allow only the management station.
As far as the format for the original list, I tried a number of variations and I"m fairly positive I tried the one you posted. Regardless it's good to know that the number alone is a type not the port, and to use the eq XX syntax.
For the vPC related 'stuff' you're correct I did mean the peer keep alive link, and right now it's configured based on the mgmt0 IP's to it's partner, so blocking the interface blocked the keep alives. Thanks again for your fantastic help, closing and rating!
Kindest Regards,
ALAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide