06-02-2010 08:38 PM - edited 03-06-2019 11:23 AM
Hi All,
Usually I would take the time to set this up in my test lab, but sadly I don't have switches (L3) in my lab.
Let me give a bit of background. I use 2 x Cisco 3560 switches that I use for my inter-vlan routing. I have also enabled HSRP on my switches for route redundancy.
I have a VLAN (vlan 70) that I use for management of the switches (SSH, monitoring, etc). The VLAN is also included in the HSRP configuration. Please see below for the configuration of the VLAN on each of the switches
SWITCH 1
interface Vlan70
ip address 192.168.70.2 255.255.255.0
ip helper-address 192.168.2.1
ip helper-address 192.168.2.2
standby 1 ip 192.168.70.1
standby 1 preempt
end
SWITCH 2
interface Vlan70
ip address 192.168.70.3 255.255.255.0
standby 1 ip 192.168.70.1
standby 1 priority 105
standby 1 preempt delay minimum 60
end
Query
I have introduced a standard ACL on each of the other switches in my environment to restrict access to specific hosts. I am however concerned about introducing an ACL of the management interface of my L3 switches (above) for fear of what it may do to the HSRP configuration.
My plan was to have a go at it out of hours (planned maintenance window). Just wondering if anyone has done anything similar?
Cheers
Darren
06-02-2010 09:50 PM
Hi All,
Usually I would take the time to set this up in my test lab, but sadly I don't have switches (L3) in my lab.
Let me give a bit of background. I use 2 x Cisco 3560 switches that I use for my inter-vlan routing. I have also enabled HSRP on my switches for route redundancy.
I have a VLAN (vlan 70) that I use for management of the switches (SSH, monitoring, etc). The VLAN is also included in the HSRP configuration. Please see below for the configuration of the VLAN on each of the switches
SWITCH 1
interface Vlan70
ip address 192.168.70.2 255.255.255.0
ip helper-address 192.168.2.1
ip helper-address 192.168.2.2
standby 1 ip 192.168.70.1
standby 1 preempt
endSWITCH 2
interface Vlan70
ip address 192.168.70.3 255.255.255.0
standby 1 ip 192.168.70.1
standby 1 priority 105
standby 1 preempt delay minimum 60
endQuery
I have introduced a standard ACL on each of the other switches in my environment to restrict access to specific hosts. I am however concerned about introducing an ACL of the management interface of my L3 switches (above) for fear of what it may do to the HSRP configuration.
My plan was to have a go at it out of hours (planned maintenance window). Just wondering if anyone has done anything similar?
Cheers
Darren
Hi Darren,
If you want only to block specifci host to access the switch like telnet or ssh then you can apply access class in line vty for management purpose which wont give any problem to hsrp configuration,check out the below link for configuration and management of switches.
http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
06-13-2010 02:48 PM
Not sure if I am understanding the issue correctly or not but if the fear of enabling the acl is that you will disrupt you hsrp from operating, you could use the following configuration in your acl to ensure hsrp will be permited.
permit udp any any eq 1985
HTH
-Todd
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide