cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
0
Helpful
3
Replies

How to restict management to work over the Gigabit0 Management interface ASR 1001-X

Shlomy Maron
Cisco Employee
Cisco Employee

I have ASR 1001-X, I've upgraded it to 03.16.04b.S

the command "control-plane host" doesn't exist anymore.

is there a way to restrict the management access to work via Gigabit0 without using ACL on the other interfaces ?

3 Replies 3

Paul Chapman
Level 4
Level 4

Hi Shlomy -

Set an access-class on your VTY lines.  The "vrf-also" parameter will allow you to apply the ACL to all VRFs (including the management VRF).

ip access-list extended ACL-VTY
permit tcp any host <mgmt ip> eq 22
deny ip any any
!
line vty 0 15
access-class ACL-VTY vrf-also

PSC

Hi Paul,

I think you got my question wrong.

I'd like to block telnet/snmp/ssh to the router via all physical interfaces except the management interface.

the old version had the command control-plane host which allowed you to decide which interface is allowed to do it.

yet - it does not appear in th version 3.16.4b.

any suggestions ?

Hi -

I'm still running 3.16.3 and I see the command.  Since there are no release notes (that I can find) for 3.16.4 (a or b) which document a command change, I would consider this a bug. Open a TAC case and see if they can put it back in 3.16.5 or at least document a proper workaround.

PSC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: