Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
1
Helpful
3
Replies

L2 Access list

Go to solution
Robert Plunkett
Level 1
Level 1

‎03-03-2024 09:41 AM - last edited on ‎03-03-2024 04:58 PM by Community Manager

Hello,

I am trying to configure an access list on a L2 switch it should block ICMP from all except a two, from those two I should be able

to ping, or ssh to a specific machine. All device are configured in the same vlan, can someone help me please?

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
liviu.gheorghe
Spotlight
Spotlight

‎03-05-2024 01:58 PM

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

3 Replies 3

Go to solution
liviu.gheorghe
Spotlight
Spotlight

‎03-05-2024 01:58 PM

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

Go to solution
plunkett-a-robert
Level 1
Level 1
In response to liviu.gheorghe

‎08-03-2024 03:44 PM

Good afternoon,

The solution did not work.

0 Helpful

Go to solution
plunkett-a-robert
Level 1
Level 1

‎08-04-2024 08:06 AM

This is what I end up with and it worked.

conf t
vlan access-map VACL_20 10
match ip address ICMP
action drop

vlan access-map VACL_20 20
match ip address SSH
action drop log

vlan access-map VACL_20 30
match ip address OTHER
action forward
!
vlan filter VACL_20 vlan-list 2

ip access-list extended ICMP
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x

ip access-list extended SSH
permit tcp host x.x.x.x host x.x.x.x
permit tcp host x.x.x.x host x.x.x.x
permit tcp any any eq 22

ip access-list extended OTHER
permit ip any any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card