03-10-2013 11:07 AM - edited 03-07-2019 12:09 PM
My company is in the process of being audited (annual event) and my manager wanted me to lock down access to our switches from our workstation network for ports 80, 443, 22, 23. I created access-lists and applied the access-lists to our "traversing" VLAN and it worked. I could not access the switchs from my workstation but I was able to access them from a server that was set up on a different VLAN just for this (kind of like a monitoring/security server).
One thing appears to have been an inadvertent consequence of this action. I am not able to access a website using port 80 in a branch office.
Is there a way to lock down access to the switches against audit scanners w/ out disrupting other network traffic? I used the configs below.
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip any any
int vlan 2
ip access-group 101 in
Thanks,
03-10-2013 11:53 AM
access-list 101 permit ip host (Your IP 192.168.1.x) any
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip any any
*** Do Rate Helpful Posts***
03-11-2013 12:58 PM
hello jpgleason,
Better solution would be create two separate ACLs, one for vty access and other to http/https access.
ip acccess list extended MGMT
permit ip xyz any
deny ip any any
ip acccess list standard 99
permit xyz
deny ip any
line vty 0 4
access-class MGMT in
ip http access-class 99
You will allow or deny IPs which are desirable or not to access your router. It more scalable and better solution cause you do not have to apply ACLs on every interface which can be used to access router.
Best Regards
Please rate all helpful posts and close solved questions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide