We recently setup OSPF on our new aggregation switch stack and setup some access lists to deny access to private ip ranges. The customer ip ranges are setup on specific vlans and mgmt ips in the 10.x range are setup on other vlans. I made a access list to allow ip and icmp from the 10.0.0.0/8 range and then deny any any, but the customers can still ping the 10.x address assigned to the switch on the other vlans. Config:
ip access-list extended NO_CUST_IN permit ip 10.0.0.0 0.255.255.255 any deny ip any any permit icmp 10.0.0.0 0.255.255.255 any deny icmp any any interface Vlan3014 description mgmt ip address 10.1.1.1 255.255.0.0 ip access-group NO_CUST_IN in ip access-group NO_CUST_IN out
Why can the customers on the public ips still ping the private ip addresses on the switch? These rules are blocking access to downstream 10.x ips, but not the switch's ip on the 10.x range.
No comments:
Post a Comment