Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2921
Views
0
Helpful
4
Replies

ACL not blocking ping to vlan gateway

RoelBeelen
Level 1
Level 1

‎02-09-2010 04:32 AM - edited ‎03-06-2019 09:38 AM

Dear Cisco Users/experts,

I'm not sure if posted in the right forum, but it's about ACLs and switching, so...

Currently i'm configuring our new network:

Core:

2x 3750G (WS-C3750G-24-TS) in a stack, so it's one switch logically.

Access:

2x 2960G (WS-C2960G-48-TC-L)

There are seperated vlans: servers, internet, management, per department vlans. I'm using inter-vlan routing.

Let's say that the management network is vlan 4. Only the IT vlan may access the management vlan. Therefor i've created a ACL:

access-list 3 permit 192.168.21.0 0.0.0.255

interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 3 out

The ACL works, clients can't ping 192.168.4.2 (access switch1), .3, .4, etc. but they can ping 192.168.4.1, and therefor gain access to the Stack.

So the ACL works, but it's still possible to ping the vlan IP address.

How can i secure my managment network?

The config is attached.

Thanks in advance

Labels:
60837-3750 config.txt.zip
0 Helpful
4 Replies 4

dominic.caron
Level 5
Level 5

‎02-09-2010 05:33 AM

I'm sorry but a fail to see the gain in security. You can manage the 3750 on any svi interface, including the one client are connected on. You could put ACL on every svi interface and deny traffic related to management(SSH,telnet,SNMP and so on).

0 Helpful

RoelBeelen
Level 1
Level 1
In response to dominic.caron

‎02-09-2010 06:01 AM

So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.

From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.

It works that way, except the ping to the vlan IP...

0 Helpful

dominic.caron
Level 5
Level 5
In response to RoelBeelen

‎02-09-2010 06:05 AM

You dont need to secure the router on its SVI interface. Simply configure ACL on the VTY line.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RoelBeelen

‎02-09-2010 06:13 AM 

RoelBeelen wrote:
So if i'm right, i have to put an ACL on EVERY Vlan to specify the deny to the management network. Imagine i have 200 vlans for example.
From an administrative viewpoint, i thought it would be better to set an ACL to the management vlan, specifieing the permitted networks, and end with a implicit deny.
It works that way, except the ping to the vlan IP...

If you want to limit access to the switch itself do as Dominic says and configure an acl on the vty lines.

If you want to stop non IT staff being able to ping the SVI ip then you would indeed need to add an acl to each vlan interface. Have a read of this recent thread to understand why an acl on the vlan interface will not stop remote subnets pinging that vlan interface IP whether the acl is applied inbound or outbound -

https://supportforums.cisco.com/thread/2003843?tstart=0

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card