640 Configuring Access Control Lists
! Further limit inbound traffic on in-band management ports.
! Allow only VLAN 99 SSH and TFTP, no telnet, HTTP, HTTPS, or SNMP.
! The management access list actions are performed by the switch
! firmware in addition to the access list actions performed by
! the switching silicon, e.g. reduce-dos-attacks. Note that
! the switch forces TFTP accesses to use the well-known TFTP port
! number 69.
!
management access-list mgmt-blocks
permit vlan 99 service ssh
permit vlan 99 service tftp
deny vlan 99
permit service any
exit
! Create an in-band Management VLAN (99), assign it to two ports
(gi1/0/47
! and gi1/0/48), and add both ACLs and Management ACLs to ALL ports
! in global config mode.
vlan 99
exit
interface vlan 99
ip address dhcp
exit
interface gi1/0/47-48
switchport access vlan 99
exit
management access-class mgmt-blocks
line ssh
login authentication default
exit
crypto key generate rsa
crypto key generate dsa
ip ssh server
Policy Based Routing Examples
ACL That Matches All IP Packets
ip access-list match-all
permit ip any any
exit
To Next Page
Loading...
Need help?
General