cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
1
Helpful
1
Replies

L2 Access list

Robert Plunkett
Level 1
Level 1

Hello,

I am trying to configure an access list on a L2 switch it should block ICMP from all except a two, from those two I should be able

to ping, or ssh to a specific machine. All device are configured in the same vlan, can someone help me please?

 

1 Accepted Solution

Accepted Solutions

liviu.gheorghe
Spotlight
Spotlight

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

1 Reply 1

liviu.gheorghe
Spotlight
Spotlight

Hello @Robert Plunkett ,

I assumed that you want to:

  • permit ICMP from host1 and host2 to machine
  • permit SSH from host1 and host2 to machine
  • permit other hosts in the vlan to communicate between them

This is accomplished by using a VLAN ACL:

ip access-list extended ICMP 

deny  icmp host1 machine

deny icmp host2 machine

permit icmp any any 

 

ip access-list extended SSH 

deny  tcp host1 machine eq 22

deny  tcp host2 machine eq 22

permit tcp any any eq 22 

 

ip access-list extended OTHER 

permit ip any any 

 

vlan access-map VACL_20 10 S

match ip address ICMP 

action drop 

 

vlan access-map VACL_20 20 

match ip address SSH 

action drop log 

 

vlan access-map VACL_20 30 

match ip address OTHER 

action forward 

vlan filter VACL_20 vlan-list 20 

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***
Review Cisco Networking for a $25 gift card