mahmoodmkl Tue, 04/29/2008 - 00:34
User Badges:
  • Gold, 750 points or more

Hi


If u r refering to the telnet access to the switches then i would suggest use the access-list under u r vty lines.Just allow the subnet from which u would like to access the devices.u can use standard ACL for this.


Thanks

Mahmood

drnteam Tue, 04/29/2008 - 01:05
User Badges:

Hi,

I want to block the entire traffic from other VLAN's with providing a limitted access to the managament VLAN.

yassine-m Tue, 04/29/2008 - 02:07
User Badges:

I'd recommend the 3750 Switch Software Configuration Guide's chapter

on Network Security with ACLs:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a008081de82.html


VACLs are usually used to control traffic within a VLAN (Host A in

VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or

layer 3. A VACL is applied to all traffic in both directions so

creating access-list logic can be more challenging but VACL's can

povide a high level of security.


Router ACL's are easier to manage for filtering traffic between VLANs

(Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied

in inbound and outbound directions and are very similar to ACL's

applied to interfaces on any Cisco router. In a VLAN environment, you

apply the ACL to switch virtual interfaces (SVIs) or routed interfaces

(no switchport).


Here's an example:


Switch(config)# access-list 110 permit tcp any 128.88.0.0 0.0.255.255

gt 1023

Switch(config)# access-list 110 permit tcp any host 128.88.1.2 eq 25

Switch(config)# access-list 110 permit icmp any any


Switch(config)# interface VLAN 10

Switch(config-if)# ip access-group 110 in



3750 switches handle most ACL filtering in hardware so these switches

can handle a fairly large number of access-list statements with little

impact on performance.

Actions

This Discussion