Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SG300-10 - Need assistance with ACL

We recently got a SG300-10 switch and we are in need of some assistance with creating an access list for SSH access. The switch is running

SW version 1.3.0.62. We would like to make it so SSH access is only allowed from the 192.168.1.0 network. We would also like to have every attempt to tcp port 22 for SSH logged. Right, now SSH is accessible from any IP including external (Internet). Here is what we have at the moment. The switch has an IP of 192.168.1.7.

...

ip access-list extended SSH_access

permit ip 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0

exit

line ssh                                             

exec-timeout 0

exit

...

External users (Internet) are still able to try and SSH in. Please advise.

  • Small Business Switches
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

SG300-10 - Need assistance with ACL

You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.

For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:

management access-list SSH_access

permit ip-source 192.168.1.0 mask /24 service ssh

permit service https

deny

exit

management access-class SSH_access

would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.

HTH

Tilman

5 REPLIES
New Member

SG300-10 - Need assistance with ACL

Off the top of my head (untested)

permit tcp 192.168.1.0 0.0.0.255 any 192.168.1.7 0.0.0.0 22

deny tcp any any 192.168.1.7 0.0.0.0 22

permit ip any any

New Member

SG300-10 - Need assistance with ACL

You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.

For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:

management access-list SSH_access

permit ip-source 192.168.1.0 mask /24 service ssh

permit service https

deny

exit

management access-class SSH_access

would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.

HTH

Tilman

New Member

SG300-10 - Need assistance with ACL

Thanks for the information. We will try this out tomorrow night and let you know. Thanks.

New Member

SG300-10 - Need assistance with ACL

Tilman,

That worked. Here is the statements needed. This allows for internal access to the SSH and HTTPS services.

management access-list MGMT_ACCESS

permit ip-source 192.168.1.0 mask 255.255.255.0 service ssh

permit ip-source 192.168.1.0 mask 255.255.255.0 service https

deny ip

exit

management access-class MGMT_ACCESS

Thanks for the assistance.

New Member

SG300-10 - Need assistance with ACL

Thanks for the feedback.

Glad I could help.

1254
Views
0
Helpful
5
Replies
This widget could not be displayed.