Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
3
Replies

How to restict management to work over the Gigabit0 Management interface ASR 1001-X

Shlomy Maron
Cisco Employee
Cisco Employee

‎12-12-2016 10:15 AM - edited ‎03-05-2019 07:39 AM

I have ASR 1001-X, I've upgraded it to 03.16.04b.S

the command "control-plane host" doesn't exist anymore.

is there a way to restrict the management access to work via Gigabit0 without using ACL on the other interfaces ?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Paul Chapman
Level 4
Level 4

‎12-12-2016 11:53 AM

Hi Shlomy -

Set an access-class on your VTY lines.  The "vrf-also" parameter will allow you to apply the ACL to all VRFs (including the management VRF).

ip access-list extended ACL-VTY
 permit tcp any host <mgmt ip> eq 22
 deny ip any any
!
line vty 0 15
 access-class ACL-VTY vrf-also

PSC

0 Helpful

Shlomy Maron
Cisco Employee
Cisco Employee
In response to Paul Chapman

‎12-18-2016 01:16 AM

Hi Paul,

I think you got my question wrong.

I'd like to block telnet/snmp/ssh to the router via all physical interfaces except the management interface.

the old version had the command control-plane host which allowed you to decide which interface is allowed to do it.

yet - it does not appear in th version 3.16.4b.

any suggestions ?

0 Helpful

Paul Chapman
Level 4
Level 4
In response to Shlomy Maron

‎12-18-2016 12:19 PM

Hi -

I'm still running 3.16.3 and I see the command.  Since there are no release notes (that I can find) for 3.16.4 (a or b) which document a command change, I would consider this a bug. Open a TAC case and see if they can put it back in 3.16.5 or at least document a proper workaround.

PSC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card