cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
717
Views
1
Helpful
3
Replies

L2 Access list

Robert Plunkett
Level 1
Level 1

Hello,

I am trying to configure an access list on a L2 switch it should block ICMP from all except a two, from those two I should be able

to ping, or ssh to a specific machine. All device are configured in the same vlan, can someone help me please?

 

1 Accepted Solution

Accepted Solutions

liviu.gheorghe
Spotlight
Spotlight

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

3 Replies 3

liviu.gheorghe
Spotlight
Spotlight

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

Good afternoon,

The solution did not work.

This is what I end up with and it worked.

conf t
vlan access-map VACL_20 10
match ip address ICMP
action drop

vlan access-map VACL_20 20
match ip address SSH
action drop log

vlan access-map VACL_20 30
match ip address OTHER
action forward
!
vlan filter VACL_20 vlan-list 2

ip access-list extended ICMP
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x

ip access-list extended SSH
permit tcp host x.x.x.x host x.x.x.x
permit tcp host x.x.x.x host x.x.x.x
permit tcp any any eq 22

ip access-list extended OTHER
permit ip any any

Review Cisco Networking for a $25 gift card