Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
3
Replies

ACL (SVI)

Go to solution
colmgrier
Level 1
Level 1

‎01-26-2009 09:00 AM - edited ‎02-20-2020 09:41 PM

Can you advise how to setup the below ACL on a layer3 switch.

Requirement:

1. Block all telnet and ssh traffic in/out of VLAN 100

2. permit all other traffic

interface vlan 100

ip address 10.201.144.2 255.255.255.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-26-2009 09:08 AM

Colm

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23

access-list 101 permit ip any 10.201.144.0 0.0.0.255

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23

access-list 102 permit ip 10.201.144.0 0.0.0.255 any

interface vlan 100

ip access-group 101 out

ip access-group 102 in

The direction they are applied may look a bit couterintuitive but remember

1) inbound on an SVI is traffic coming from that subnet

2) outbound on SVI is traffic going to that subnet

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-26-2009 09:08 AM

Colm

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23

access-list 101 permit ip any 10.201.144.0 0.0.0.255

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23

access-list 102 permit ip 10.201.144.0 0.0.0.255 any

interface vlan 100

ip access-group 101 out

ip access-group 102 in

The direction they are applied may look a bit couterintuitive but remember

1) inbound on an SVI is traffic coming from that subnet

2) outbound on SVI is traffic going to that subnet

Jon

0 Helpful

Go to solution
cisco_lite
Level 1
Level 1
In response to Jon Marshall

‎02-08-2009 07:15 AM

Is it necessary to define & apply outbound acl if an inbound acl is already applied to the SVI.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cisco_lite

‎02-09-2009 09:40 AM

Depends what you are trying to do.

vlan 10 = 192.168.5.0/24

access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int vlan 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

So the above config does 2 things

1) It stops any machine on vlan 10 intiating a telnet connect to any other machine on another subnet

2) It then allows all traffic from any machine on vlan 10 to any other machine. All traffic is any IP traffic other than telnet.

What this access-list does not do is stop any machine on any subnet (other than vlan 10) initiating a telnet connection to machines in vlan 10. If you wanted to do that -

access-list 102 deny any 192.168.5.0 0.0.0.255 eq 23

access-list 102 permit ip any 192.168.5.0 0.0.0.255

int vlan 10

ip access-group 102 out

So it entirely depends on what traffic you are trying to restrict and in which direction.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents