Wired Intelligent Edge

 View Only

ACL to protect switch from users

This thread has been viewed 9 times
  • 1.  ACL to protect switch from users

    Posted Dec 01, 2023 07:55 AM

    Is there a smart way to protect SVI from users. I mean block access to services bound to switch vlan interface. I have acls protecting the management interface/vrf but what with the production vrf, there is several vlans in it and an active-gateway. It is a lot of addresses.

    For now the port scan shows way too much:


    Nmap scan report for _gateway (10.80.5.1)
    Host is up (0.0033s latency).
    Not shown: 997 closed ports
    PORT     STATE    SERVICE
    22/tcp   open     ssh
    179/tcp  open     bgp
    3784/tcp filtered bfd-control

    My version  for now would be:


    access-list ip PROTECT_SWITCH
        10 deny tcp any <active_gateway IPs> eq ssh
        20 deny tcp any <active_gateway IPs> eq bgp
        <as above for each switch real IP> 

    But is there a smarter way like destination=<all switch ip in vrf>? 

    BTW: I need to leave ssh accessible in the production vrf from some networks.



    ------------------------------
    -- tommyd
    ------------------------------