Limit Control Plane Access Of PE Router

ranjeetba · ‎07-18-2013

Hi Folks,

I have interface in vrf London. I am able to access this interface FastEthernet0/1 of PE from CPE . How to prevent PE access from all the interface connected to CPE?

ip vrf London

rd 200:200

route-target export 200:200

route-target import 200:200

interface FastEthernet0/1

ip vrf forwarding London

ip address 10.255.8.1 255.255.255.0

duplex auto

speed auto

no cdp enable

Regards

Ranjeet

Peter Paluch · ‎07-19-2013

Hello Ranjeet,

One of the ways to limit control plane access to your PE is to define an ACL and simply use it on your VTY lines. Using an ACL on VTYs will automatically prevent control plane access from VRFs even if the ACL itself permitted the source IPs. So even this configuration would work for you:

ip access-list standard VTY
 permit any
!
line vty 0 15
 access-class VTY in

If you actually wanted to allow access from VRFs as well based on the source IP, you would need the vrf-also keyword in the access-class command - this discussion was focused on its usage:

https://supportforums.cisco.com/message/3973724#3973724

In addition, you can also define a selected subset of interfaces through which the control/management plane traffic is allowed. An example is probably easier to read than a lengthy explanation:

control-plane host

management-interface FastEthernet0/0 allow ssh snmp telnet

Using this approach, the management traffic has to enter only through the defined set of management interfaces, otherwise it will be dropped. You can define multiple interfaces in the control-plane host section.

Best regards,

Peter

ranjeetba · ‎07-28-2013

Hi Peter,

Thanks for the suggestions . I will put the configuration on my router today and report the results here.

Regards

Ranjeet

Bangalore, India