ACL not blocking ping to vlan gateway

Unanswered Question
Feb 9th, 2010

Dear Cisco Users/experts,

I'm not sure if posted in the right forum, but it's about ACLs and switching, so...

Currently i'm configuring our new network:

Core:

2x 3750G (WS-C3750G-24-TS) in a stack, so it's one switch logically.

Access:

2x 2960G (WS-C2960G-48-TC-L)

There are seperated vlans: servers, internet, management, per department vlans. I'm using inter-vlan routing.

Let's say that the management network is vlan 4. Only the IT vlan may access the management vlan. Therefor i've created a ACL:

access-list 3 permit 192.168.21.0 0.0.0.255

interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 3 out

The ACL works, clients can't ping 192.168.4.2 (access switch1), .3, .4, etc. but they can ping 192.168.4.1, and therefor gain access to the Stack.

So the ACL works, but it's still possible to ping the vlan IP address.

How can i secure my managment network?

The config is attached.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dominic.caron Tue, 02/09/2010 - 05:33

I'm sorry but a fail to see the gain in security. You can manage the 3750 on any svi interface, including the one client are connected on. You could put ACL on every svi interface and deny traffic related to management(SSH,telnet,SNMP and so on).

RoelBeelen Tue, 02/09/2010 - 06:01

So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.

From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.

It works that way, except the ping to the vlan IP...

dominic.caron Tue, 02/09/2010 - 06:05

You dont need to secure the router on its SVI interface. Simply configure ACL on the VTY line.

Jon Marshall Tue, 02/09/2010 - 06:13

RoelBeelen wrote:

So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.

From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.

It works that way, except the ping to the vlan IP...

If you want to limit access to the switch itself do as Dominic says and configure an acl on the vty lines.

If you want to stop non IT staff being able to ping the SVI ip then you would indeed need to add an acl to each vlan interface. Have a read of this recent thread to understand why an acl on the vlan interface will not stop remote subnets pinging that vlan interface IP whether the acl is applied inbound or outbound -

https://supportforums.cisco.com/thread/2003843?tstart=0

Jon

Actions

This Discussion