02-09-2010 04:32 AM - edited 03-06-2019 09:38 AM
Dear Cisco Users/experts,
I'm not sure if posted in the right forum, but it's about ACLs and switching, so...
Currently i'm configuring our new network:
Core:
2x 3750G (WS-C3750G-24-TS) in a stack, so it's one switch logically.
Access:
2x 2960G (WS-C2960G-48-TC-L)
There are seperated vlans: servers, internet, management, per department vlans. I'm using inter-vlan routing.
Let's say that the management network is vlan 4. Only the IT vlan may access the management vlan. Therefor i've created a ACL:
access-list 3 permit 192.168.21.0 0.0.0.255
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 3 out
The ACL works, clients can't ping 192.168.4.2 (access switch1), .3, .4, etc. but they can ping 192.168.4.1, and therefor gain access to the Stack.
So the ACL works, but it's still possible to ping the vlan IP address.
How can i secure my managment network?
The config is attached.
Thanks in advance
02-09-2010 05:33 AM
I'm sorry but a fail to see the gain in security. You can manage the 3750 on any svi interface, including the one client are connected on. You could put ACL on every svi interface and deny traffic related to management(SSH,telnet,SNMP and so on).
02-09-2010 06:01 AM
So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.
From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.
It works that way, except the ping to the vlan IP...
02-09-2010 06:05 AM
You dont need to secure the router on its SVI interface. Simply configure ACL on the VTY line.
02-09-2010 06:13 AM
RoelBeelen wrote:
So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.
From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.
It works that way, except the ping to the vlan IP...
If you want to limit access to the switch itself do as Dominic says and configure an acl on the vty lines.
If you want to stop non IT staff being able to ping the SVI ip then you would indeed need to add an acl to each vlan interface. Have a read of this recent thread to understand why an acl on the vlan interface will not stop remote subnets pinging that vlan interface IP whether the acl is applied inbound or outbound -
https://supportforums.cisco.com/thread/2003843?tstart=0
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: