Is there a smart way to protect SVI from users. I mean block access to services bound to switch vlan interface. I have acls protecting the management interface/vrf but what with the production vrf, there is several vlans in it and an active-gateway. It is a lot of addresses.
For now the port scan shows way too much:
Nmap scan report for _gateway (10.80.5.1)
Host is up (0.0033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
179/tcp open bgp
3784/tcp filtered bfd-control
My version for now would be:
access-list ip PROTECT_SWITCH
10 deny tcp any <active_gateway IPs> eq ssh
20 deny tcp any <active_gateway IPs> eq bgp
<as above for each switch real IP>
But is there a smarter way like destination=<all switch ip in vrf>?
BTW: I need to leave ssh accessible in the production vrf from some networks.
------------------------------
-- tommyd
------------------------------