Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7981
Views
20
Helpful
5
Replies

deny traffic by vrf - acl?

Go to solution
Nicholas Richardson
Level 1
Level 1

‎12-13-2011 12:45 PM

Hello,

I have a service provider network with multiple public vrfs and some private vpns also.  We liked the design of this it seemed to keep the public routing completely separate from the core routing.  However it seems there is an awkward do to shut, as if we set a public addressed sub-interface for a customer ssh access is available.  We want to keep ssh access around out network, so have filtered out who can access using acl on the vty, say to 10.x.x.x

However we also have some private vpns, so I could quite easily set 10.x.x.x addressing which would allow people to attempt ssh access.

So basically, what is the best way to completely drop all telnet/ssh access to sub-interfaces on a per vrf basis, i.e. if you are in this vrf, regardless of IP, you cannot ever see telnet/ssh ports filtered/closed or otherwise?

Many thanks

Nicholas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Krimmel
Level 7
Level 7
In response to Nicholas Richardson

‎12-15-2011 02:11 AM

Hi Nicholas,

there're two more options to consider:

1. CoPP/MPP - Management Plane Policing

2. QoS

using the first one, you could restrict access globally, the second one could give you an option to restrict access on a per-(sub)interface basis.

HTH,

Ivan.

View solution in original post

5 Replies 5

Go to solution
Vaibhava Varma
Level 4
Level 4

‎12-13-2011 08:49 PM

Hi Nicholas

If we want to restrict telnet/ssh access on per VRF Sub-Interface basis then we can use an extended access list denying telnet/ssh access on that Sub-Interafce..

E.G)

R1#show access-lists

Extended IP access list 101

    10 deny tcp any any eq telnet (2 matches)

R1#

Hope this provides some insight into your query.

Regards

Varma

0 Helpful

Go to solution
Nicholas Richardson
Level 1
Level 1
In response to Vaibhava Varma

‎12-14-2011 06:52 AM

Hello,

Many thanks for the reply.  Unfortunately this will restrict telnet through the interface - we want to allow our customers to use any application through our router.  So we can do:

10 deny tcp any 10.x.x.x eq telnet

20 permit ip any any

And apply this to the interface.  However if we give a customer a couple of private vpn to route between, we need a sub-interface which could overlap with this address, so be of security interest, and also presumably is open to spoofing.

What I am looking for, if it exists, is to completely disable telnet/ssh services on an interface, not necessarily by ip access list.

Many thanks

nicholas

0 Helpful

Go to solution
Ivan Krimmel
Level 7
Level 7
In response to Nicholas Richardson

‎12-15-2011 02:11 AM

Hi Nicholas,

there're two more options to consider:

1. CoPP/MPP - Management Plane Policing

2. QoS

using the first one, you could restrict access globally, the second one could give you an option to restrict access on a per-(sub)interface basis.

HTH,

Ivan.

Go to solution
Nicholas Richardson
Level 1
Level 1
In response to Ivan Krimmel

‎12-15-2011 08:03 AM

Thanks MPP is exactly what I am after!!

Nicholas

0 Helpful

Go to solution
Ivan Krimmel
Level 7
Level 7
In response to Nicholas Richardson

‎12-15-2011 10:59 AM

Hey Nicholas,

I am happy to help! :)

Cheers,

Ivan.

0 Helpful
Customers Also Viewed These Support Documents