12-12-2016 10:15 AM - edited 03-05-2019 07:39 AM
I have ASR 1001-X, I've upgraded it to 03.16.04b.S
the command "control-plane host" doesn't exist anymore.
is there a way to restrict the management access to work via Gigabit0 without using ACL on the other interfaces ?
12-12-2016 11:53 AM
Hi Shlomy -
Set an access-class on your VTY lines. The "vrf-also" parameter will allow you to apply the ACL to all VRFs (including the management VRF).
ip access-list extended ACL-VTY
permit tcp any host <mgmt ip> eq 22
deny ip any any
!
line vty 0 15
access-class ACL-VTY vrf-also
PSC
12-18-2016 01:16 AM
Hi Paul,
I think you got my question wrong.
I'd like to block telnet/snmp/ssh to the router via all physical interfaces except the management interface.
the old version had the command control-plane host which allowed you to decide which interface is allowed to do it.
yet - it does not appear in th version 3.16.4b.
any suggestions ?
12-18-2016 12:19 PM
Hi -
I'm still running 3.16.3 and I see the command. Since there are no release notes (that I can find) for 3.16.4 (a or b) which document a command change, I would consider this a bug. Open a TAC case and see if they can put it back in 3.16.5 or at least document a proper workaround.
PSC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide