Configuring basic Access Control List (ACL) on Cisco switches

From Notes_Wiki

Home > Switch configuration notes > Configuring basic Access Control List (ACL) on Cisco switches

Limiting access to vty lines based on source IP with access list

To configure basic access control on switches (like Cisco 3750) we can create access list of IPs which are allowed to connect to switch and then apply that access list to vty lines. The sample configuration line are

config t
    access-list 1 permit ip 10.3.3.51
    access-list 1 permit ip 192.168.36.177
    line vty 0 15
         access-class 1 in
         end


In case access configuration based on networks, that is using subnet mask needs to be done then standard access lists are not enough. Then we have to use extended access lists. Sample extended access-list configuration in which we have allowed only some specific IPs and some specific subnets to access switch.

config t
    access-list 100 permit ip host 10.1.67.15 any
    access-list 100 permit ip host 10.1.67.2 any
    access-list 100 permit ip host 10.3.3.51 any
    access-list 100 permit ip host 192.168.36.177 any
    access-list 100 permit ip 172.16.30.0 0.0.0.255 any
    access-list 100 permit ip 10.4.4.0 0.0.0.255 any
    line vty 0 15
         access-class 100 in
         end

Note that subnet mask used in switch access-list configuration are opposite of normal netmasks configured in usual firewalls and interfaces


Disabling connections to/from hosts connected to specific ports

We can disable ssh to any host which is connected to specific switch port by applying below access list

access-list 102 deny   tcp any eq 22 any
access-list 102 permit ip any any

on port on which host is connected.

Note that

  • The access list has to be applied on port on which host is connected and not on uplink port. If we want to block ssh to all nodes connected to this switch then we can use 'access-list 102 deny tcp any any eq 22' on uplink port. This is because we can apply access-list only to incoming packets on port and not to outgoing packets. Hence if we want to block ssh to particular host then we block packets that are coming from port 22 and apply access list on port on which host is connected. But if we want to block ssh to all hosts then we block packets for destination port 22 and apply access list only on uplink port.
  • There is very strict single subnet-mask limit on 2950 switches that require that all rules that belong to same access list use same kind of subnet masks.
  • If access lists are very big and descriptive like
    config t
    no access-list 102
    access-list 102 remark Allow SSH to staff or faculty vlan
    access-list 102 permit tcp 10.5.1.0 0.0.0.255 eq 22 any
    access-list 102 remark --
    access-list 102 remark Allow telnet to switches
    access-list 102 permit tcp 10.4.4.0 0.0.0.255 eq 23 any
    access-list 102 permit tcp 172.16.30.0 0.0.0.255 eq 23 any
    access-list 102 remark --
    access-list 102 remark Allow access to port 80 for servers
    access-list 102 permit tcp 192.168.36.0 0.0.0.255 eq 80 any
    access-list 102 permit tcp 10.4.2.0 0.0.0.255 eq 80 any
    access-list 102 permit tcp 10.4.3.0 0.0.0.255 eq 80 any
    access-list 102 remark --
    access-list 102 remark Allow access to port 443 for servers
    access-list 102 permit tcp 192.168.36.0 0.0.0.255 eq 443 any
    access-list 102 permit tcp 10.4.2.0 0.0.0.255 eq 443 any
    access-list 102 permit tcp 10.4.3.0 0.0.0.255 eq 443 any
    access-list 102 remark --
    access-list 102 remark Allow access to port 8080 for servers
    access-list 102 permit tcp 192.168.36.0 0.0.0.255 eq 8080 any
    access-list 102 permit tcp 10.4.3.0 0.0.0.255 eq 8080 any
    access-list 102 remark --
    access-list 102 remark Allow udp for DHCP, DNS etc.
    access-list 102 permit udp any any
    Then we may not be able to apply them on many ports. Hence if we want to apply access lists on many ports then they must be small. However if we want to apply very specific and detailed access list as given above only on one port (probably up-link) then that will not cause any problem.
  • It is important to ensure that telnet access to switch does not get blocked by the access-list that we are trying to apply. Specially while configuring access list to switch port through which we are connected to switch (mostly up-link port). Hence having exception for destination port 23 on access-list applied to up-link ports is important (Assuming we are connected to switch using telnet).
  • Although the example is given just for ssh server, we can use the access-lists to block proxy server, DNS server, HTTP server, etc. also, based on port numbers.


Home > Switch configuration notes > Configuring basic Access Control List (ACL) on Cisco switches