Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
2
Replies

ACL query

darren-carr
Level 2
Level 2

‎06-02-2010 08:38 PM - edited ‎03-06-2019 11:23 AM

Hi All,

Usually I would take the time to set this up in my test lab, but sadly I don't have switches (L3) in my lab.

Let me give a bit of background. I use 2 x Cisco 3560 switches that I use for my inter-vlan routing. I have also enabled HSRP on my switches for route redundancy.

I have a VLAN (vlan 70) that I use for management of the switches (SSH, monitoring, etc). The VLAN is also included in the HSRP configuration. Please see below for the configuration of the VLAN on each of the switches

SWITCH 1

interface Vlan70
ip address 192.168.70.2 255.255.255.0
ip helper-address 192.168.2.1
ip helper-address 192.168.2.2
standby 1 ip 192.168.70.1
standby 1 preempt
end

SWITCH 2

interface Vlan70
ip address 192.168.70.3 255.255.255.0
standby 1 ip 192.168.70.1
standby 1 priority 105
standby 1 preempt delay minimum 60
end

Query

I have introduced a standard ACL on each of the other switches in my environment to restrict access to specific hosts. I am however concerned about introducing an ACL of the management interface of my L3 switches (above) for fear of what it may do to the HSRP configuration.

My plan was to have a go at it out of hours (planned maintenance window). Just wondering if anyone has done anything similar?

Cheers

Darren

Labels:
0 Helpful
2 Replies 2

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎06-02-2010 09:50 PM 

Hi All,
Usually I would take the time to set this up in my test lab, but sadly I don't have switches (L3) in my lab.
Let me give a bit of background. I use 2 x Cisco 3560 switches that I use for my inter-vlan routing. I have also enabled HSRP on my switches for route redundancy.
I have a VLAN (vlan 70) that I use for management of the switches (SSH, monitoring, etc). The VLAN is also included in the HSRP configuration. Please see below for the configuration of the VLAN on each of the switches
SWITCH 1
interface Vlan70
ip address 192.168.70.2 255.255.255.0
ip helper-address 192.168.2.1
ip helper-address 192.168.2.2
standby 1 ip 192.168.70.1
standby 1 preempt
end
SWITCH 2
interface Vlan70
ip address 192.168.70.3 255.255.255.0
standby 1 ip 192.168.70.1
standby 1 priority 105
standby 1 preempt delay minimum 60
end
Query
I have introduced a standard ACL on each of the other switches in my environment to restrict access to specific hosts. I am however concerned about introducing an ACL of the management interface of my L3 switches (above) for fear of what it may do to the HSRP configuration.
My plan was to have a go at it out of hours (planned maintenance window). Just wondering if anyone has done anything similar?
Cheers
Darren


Hi Darren,

If you want only to block specifci host to access the switch like telnet or ssh then you can apply access class in line vty for management purpose which wont give any problem to hsrp configuration,check out the below link for configuration and management of switches.

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

TODD RIEMENSCHNEIDER
Level 1
Level 1
In response to Ganesh Hariharan

‎06-13-2010 02:48 PM

Not sure if I am understanding the issue correctly or not but if the fear of enabling the acl is that you will disrupt you hsrp from operating, you could use the following configuration in your acl to ensure hsrp will be permited.

permit udp any any eq 1985

HTH

-Todd

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card