Hello Everyone,
Would you please help me to solve the problem below?
I would like to configure an Extended Access-list to be used in in a stand alone 2960G switch but I am having problem.
Scenario:
All hosts are in the same VLAN 1.
Example:
-Host 1 is connect to the 2960G port 1 (ip= 10.10.10.1/24)
-Host 2 is connect to the 2960G port 2 (ip= 10.10.10.2/24)
I would like to allow host 1 ssh to host 2 (only tcp port 22) no other ports are allow.
Why the following configuration on 2960G switch is not working?
interface GigabitEthernet0/1
description host 1
interface GigabitEthernet0/2
description host 2
ip access-group ssh-only in
ip access-list extended ssh-only
permit tcp host 10.9.9.1 host 10.9.9.2 eq ssh
_______________________________________________________________
Here is the url that talk about this.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html
Understanding ACLs
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards.
You configure access lists on a switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.
