Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3995
Views
10
Helpful
6
Replies

Restrict SSH, TELNET and HTTP ro Management VRF on ISR 400

richardadeolu
Level 1
Level 1

‎03-03-2015 01:50 AM - edited ‎03-05-2019 12:55 AM

Dear all,

 

Is there any way to limit access to http, telnet and ssh to the router on other intefaces except the manangement vrf?

I can use accessliest and access class on the VTY lines, and restich http to only managment subnet, but am looking for a way to do this without using access-lists.

I was under the impression that this is why te management interface/vrf was created for.

Am I thinking wrong?

 

Thanks  

2 people had this problem
Labels:
0 Helpful
6 Replies 6

elnurh
Level 1
Level 1

‎03-03-2015 06:42 AM

I think  there are only access-list and access class for limit access to router itself. You can  also use access list to all interface to deny access to router itlsef except mgmt interface where you can show from which host  can access to mgmt interface.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎03-03-2015 12:20 PM

Control Plane Protection is the best way (IMO), but you can also do it with Control Plane Policing or just QoS.

0 Helpful

richardadeolu
Level 1
Level 1
In response to Collin Clark

‎03-04-2015 12:15 AM

But in my version, there is no control-plane management.

I can only do control-plane host and i do not see how I can configure the router to accept SSH, HTTP and Telnet via this way.

Mind elaborating?

 

Thanks

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to richardadeolu

‎03-04-2015 06:42 PM

ROUTER#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ROUTER(config)#control-plane host
ROUTER(config-cp-host)#management-interface vlan13 allow ssh ftp snmp
 
This would allow ssh, ftp and snmp only from VLAN 13.

jason.emery
Level 1
Level 1

‎02-02-2017 04:06 PM

Not sure this is the right answer, but here is what I did on ISR 4431.

Create some bogus interface such as:

int g0/0/1.1

desc bogus_mgmt_intf

shut

Then set the control plane policing to only allow that interface:

# control-plane host

# management-interface G0/0/1.1 allow snmp

# exit

Seems to work great - I can still access through Gi0 Mgmt_intf vrf but cannot access externally from any other IP interface.

Mark Malone
VIP Alumni
VIP Alumni
In response to jason.emery

‎02-03-2017 01:16 AM

Hi Jason MPP is not fully operational on the ios-xe series be careful with it , we deployed it and found out after some of  the MGMT protocols are not programmed fully and supported, we have an open feature request with our Cisco acc manager to enable it fully in the next release , its seems to break with ssh , snmp works fine

 http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

 

From the link above you can select the feature "Management plane protection" and you will find the supported platforms. Unfortunately this is not yet  supported on IOS-XE platforms. Digging internally I could find an enhancement bug as well to add this feature for IOS-XE which was raised earlier  however the DDTS was in closed  since there was no relevant request raised at that time. You may find the DDTS information from the link below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCts41086/?reffering_site=dumpcr

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card