cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7177
Views
20
Helpful
5
Replies

deny traffic by vrf - acl?

Hello,

I have a service provider network with multiple public vrfs and some private vpns also.  We liked the design of this it seemed to keep the public routing completely separate from the core routing.  However it seems there is an awkward do to shut, as if we set a public addressed sub-interface for a customer ssh access is available.  We want to keep ssh access around out network, so have filtered out who can access using acl on the vty, say to 10.x.x.x

However we also have some private vpns, so I could quite easily set 10.x.x.x addressing which would allow people to attempt ssh access.

So basically, what is the best way to completely drop all telnet/ssh access to sub-interfaces on a per vrf basis, i.e. if you are in this vrf, regardless of IP, you cannot ever see telnet/ssh ports filtered/closed or otherwise?

Many thanks

Nicholas

1 Accepted Solution

Accepted Solutions

Hi Nicholas,

there're two more options to consider:

1. CoPP/MPP - Management Plane Policing

2. QoS

using the first one, you could restrict access globally, the second one could give you an option to restrict access on a per-(sub)interface basis.

HTH,

Ivan.

View solution in original post