07-18-2013 10:21 AM
Hi Folks,
I have interface in vrf London. I am able to access this interface FastEthernet0/1 of PE from CPE . How to prevent PE access from all the interface connected to CPE?
ip vrf London
rd 200:200
route-target export 200:200
route-target import 200:200
interface FastEthernet0/1
ip vrf forwarding London
ip address 10.255.8.1 255.255.255.0
duplex auto
speed auto
no cdp enable
Regards
Ranjeet
07-19-2013 09:25 AM
Hello Ranjeet,
One of the ways to limit control plane access to your PE is to define an ACL and simply use it on your VTY lines. Using an ACL on VTYs will automatically prevent control plane access from VRFs even if the ACL itself permitted the source IPs. So even this configuration would work for you:
ip access-list standard VTY
permit any
!
line vty 0 15
access-class VTY in
If you actually wanted to allow access from VRFs as well based on the source IP, you would need the vrf-also keyword in the access-class command - this discussion was focused on its usage:
https://supportforums.cisco.com/message/3973724#3973724
In addition, you can also define a selected subset of interfaces through which the control/management plane traffic is allowed. An example is probably easier to read than a lengthy explanation:
control-plane host
management-interface FastEthernet0/0 allow ssh snmp telnet
Using this approach, the management traffic has to enter only through the defined set of management interfaces, otherwise it will be dropped. You can define multiple interfaces in the control-plane host section.
Best regards,
Peter
07-28-2013 11:46 PM
Hi Peter,
Thanks for the suggestions . I will put the configuration on my router today and report the results here.
Regards
Ranjeet
Bangalore, India
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide