01-26-2009 09:00 AM - edited 02-20-2020 09:41 PM
Can you advise how to setup the below ACL on a layer3 switch.
Requirement:
1. Block all telnet and ssh traffic in/out of VLAN 100
2. permit all other traffic
interface vlan 100
ip address 10.201.144.2 255.255.255.0
Solved! Go to Solution.
01-26-2009 09:08 AM
Colm
access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22
access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23
access-list 101 permit ip any 10.201.144.0 0.0.0.255
access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22
access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23
access-list 102 permit ip 10.201.144.0 0.0.0.255 any
interface vlan 100
ip access-group 101 out
ip access-group 102 in
The direction they are applied may look a bit couterintuitive but remember
1) inbound on an SVI is traffic coming from that subnet
2) outbound on SVI is traffic going to that subnet
Jon
01-26-2009 09:08 AM
Colm
access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22
access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23
access-list 101 permit ip any 10.201.144.0 0.0.0.255
access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22
access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23
access-list 102 permit ip 10.201.144.0 0.0.0.255 any
interface vlan 100
ip access-group 101 out
ip access-group 102 in
The direction they are applied may look a bit couterintuitive but remember
1) inbound on an SVI is traffic coming from that subnet
2) outbound on SVI is traffic going to that subnet
Jon
02-08-2009 07:15 AM
Is it necessary to define & apply outbound acl if an inbound acl is already applied to the SVI.
02-09-2009 09:40 AM
Depends what you are trying to do.
vlan 10 = 192.168.5.0/24
access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
int vlan 10
ip address 192.168.5.1 255.255.255.0
ip access-group 101 in
So the above config does 2 things
1) It stops any machine on vlan 10 intiating a telnet connect to any other machine on another subnet
2) It then allows all traffic from any machine on vlan 10 to any other machine. All traffic is any IP traffic other than telnet.
What this access-list does not do is stop any machine on any subnet (other than vlan 10) initiating a telnet connection to machines in vlan 10. If you wanted to do that -
access-list 102 deny any 192.168.5.0 0.0.0.255 eq 23
access-list 102 permit ip any 192.168.5.0 0.0.0.255
int vlan 10
ip access-group 102 out
So it entirely depends on what traffic you are trying to restrict and in which direction.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: