Hi there.
I am trying to configure an ACL to deny all ip traffic except for ssh. I want to bind that acl on a SVI interface so that all traffic for that vlan will be dropped except ssh connections.
When trying various configuration options always ALL traffic is blocked?!
Can anyone point me to the right direction, please?
Thanks for any hint, Christian
P.S. Version 12.2(46)SG, RELEASE SOFTWARE (fc1)
Here is a minimalist and abstract configuration that matches the minimalist and abstract requirements stated.
I am assuming that you have the ssh server on the SVI with Vlan number x.
access-l e ACL-allow-ssh-out permit tcp any any eq 22
int vl x access-group ACL-allow-ssh-out out
Hi bod43,
thanks for your reply! What is confusing me, is that the direction in your example is "out". Can you point me to some documents describing this? Google was not very helpful with these keywords.....
When applying this acl to a specific VLAN i can log in to the ssh server, but ALL traffic from the ssh server (say: ping to
I want to set up some rules on that vlan interface, just like I would on a "normal" ethernet port. Thanks, Christian
Oh well that's easy. SVI's are just like normal physical ports.
If you can do the job on Physical Routed ports you can do SVIs too.
The way to think about it is that the 4500, when configured with SVIs and doing routing, behaves like a router and a switch - they could be seperate but happen to be in one tin enclosure. I think about it like this.
------------ 4500 ----------------------- | | | ------Router bit------------------ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ------Router bit------------------ | | |SVI |SVI |Routed | | |Vl 1 |Vl 2 |Eth | | | | |Port | | | | | | | | | | | | | | | | | --Vlan1-- --Vlan2-- .... | | | | | | | | more | | | | | | | | Vlans | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------------------------------- | | | | | | | | | | | | Physical ports
(You need to view with a fixed pitch font. Copy it to Notepad if necessary.)
Inside the 4500 you have a seperately functioning router and a number of seperate switches - or one switch with Vlans.
When I am drawing networks I often depict combined L3/L2 boxes just as illustrated. Otherwise it is easy to get confused.
In and out are in the same direction on the diagram for SVIs and for Routed Ethernet ports.
ACLs are used for lots of different things in IOS, so there is a more general syntax.
on a software router you can also apply such as ACL for inbound traffic.
however, switches normally push the ACL into hardware designed to do the filtering at high speed, and the hardware may not be able to support some types of filtering.
in the case of a 4500 it may depend on which supervisor you have.
So - time to dig out the manuals.
here is a good place to start
In 4500 SE IV, I think that -
There is hardware support for all simple filtering.
I seem to recall that hardware support for ACLs with logging and reflexive ACLs is not present.
By the way, searching directly on cisco seems better than googling. All the manuals, and much else besides, are public.
At one time I believe that Cisco did use the google search engine (internally) but I have no idea if they still do. I get the idea, from the poor results of such searches, that perhaps cisco go out of their way to reduce the effectiveness of searching CCO via google.
the internal cisco search seems reasonable and they have "scope" stuff that can help narrow the search
I get the idea, from the poor results of such
it might be due to the continual reorganisation of the cisco site......
Sorry if you thought that I indicated otherwise, I think that the internal Cisco search engine works very well.
When I first started seriously with Cisco kit (maybe
1998?) the search was dreadful. You could have (and I frequently did) a document fragment in front of you and be completely unable to locate it on CCO. After a bit, I am pretty sure that it was announced that they were adopting a google search engine on the site. It has been very good ever since.In those dark days, the most frustrating of all was "for further information see "Some Exact Document Title"". Searches inevitaby failed to discover the document referred to by the exact title. anyway, that's long gone. Happy searching.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.