Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
8
Replies

Blocking my terminal servers from accessing my camera system IP

Go to solution
abeck
Level 1
Level 1

‎09-13-2019 11:21 AM - edited ‎09-13-2019 11:24 AM

Hello, I have terminal servers, and users are able to browse to the IP of our camera system and log in, which is fine but we just dont want those users doing it on the term servers, just their local PCs. Camera system is behind my Meraki firewall, so group policy to restrict IP is not working as it doesn't hit the firewall. now i'm actually currently studying my CCNA i'm almost done with ICND1. and i'm not sure about the logic of what I should do. now the switch is a Brocade and not a Cisco. but i need to be able to take my Cisco logic and work it into the Brocade. what would you all do on the switch to prevent the 4 term server IPs from talking to the camera system IP and or port? 

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-14-2019 10:49 AM

I am slightly confused about this environment. The original post starts with terminal server and IP cameras (good so far). Then there is a Meraki and some switch. How do they fit into the environment?

 

I am also not clear about what kind of terminal server we are dealing with and what protocols are supported. In traditional Cisco equipment a terminal server allows a user to access them using telnet or SSH and then enables the user to telnet or SSH to other devices in the network. If it were a traditional Cisco terminal server here is the thought process that I would use to satisfy your requirement of limiting access to the cameras from the terminal server. Cisco traditionally uses access-class applied to vty to limit access. We typically think of access class applied inbound to limit who can access the terminal server. But the access class also works outbound to limit what you can access from the terminal server. So what I would do would be to configure a standard access list. In that standard access list I would configure deny statements for the host addresses of the cameras and then I would configure a permit any statement. Then I would use that standard access list in an access-class out on the vty of the terminal server.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎09-13-2019 11:48 AM

Hi,

Open a ticket with Brocade and ask the engineers if there is way to deploy local ACL to block hosts on their switch.

HTH

0 Helpful

Go to solution
abeck
Level 1
Level 1
In response to Reza Sharifi

‎09-13-2019 11:52 AM

ACL was something a Meraki guy mentioned but i haven't gotten to that part in my studies.Assume that my switch is a Cisco. ill take care of the rest. i'm looking for a LOGIC answer not a CLI answer.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to abeck

‎09-13-2019 11:56 AM

What do you mean by "LOGIC"?

0 Helpful

Go to solution
abeck
Level 1
Level 1
In response to Reza Sharifi

‎09-13-2019 11:59 AM

Thought process on how to handle the issue i presented. the fact that its a brocade or cisco or juniper at least at a base level has no effect on the logic you would use to solve the problem.

 

I assume you would apply an ACL to that port specifically? allow all but my term servers? that the kind of logic im referring to.

0 Helpful

Go to solution
abeck
Level 1
Level 1
In response to abeck

‎09-13-2019 12:00 PM

and since im studying CCNA i wanted Cisco people thoughts on it as a bit of training haha. but i can call Brocade too.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-14-2019 10:49 AM

I am slightly confused about this environment. The original post starts with terminal server and IP cameras (good so far). Then there is a Meraki and some switch. How do they fit into the environment?

 

I am also not clear about what kind of terminal server we are dealing with and what protocols are supported. In traditional Cisco equipment a terminal server allows a user to access them using telnet or SSH and then enables the user to telnet or SSH to other devices in the network. If it were a traditional Cisco terminal server here is the thought process that I would use to satisfy your requirement of limiting access to the cameras from the terminal server. Cisco traditionally uses access-class applied to vty to limit access. We typically think of access class applied inbound to limit who can access the terminal server. But the access class also works outbound to limit what you can access from the terminal server. So what I would do would be to configure a standard access list. In that standard access list I would configure deny statements for the host addresses of the cameras and then I would configure a permit any statement. Then I would use that standard access list in an access-class out on the vty of the terminal server.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎09-14-2019 12:20 PM - edited ‎09-16-2019 10:51 AM

In addition to what Rick describes, if your "terminal servers" cannot host ACLs of some kind themselves, than any L2 or L3 device that supports ACLs of some kind, Brocade likely does, on the path between your terminal servers and your IP cameras should be able to block traffic between those devices.

Also, BTW, if your terminal server provides your dynamic hosts individual IPs, as seen on your network, you would need to block those out too. That might be accomplished by blocking an address block that terminal server hosts could use.

0 Helpful

Go to solution
abeck
Level 1
Level 1
In response to Richard Burts

‎09-16-2019 07:13 AM

that was the logic I was looking for. as i am studying for the CCNA, I wanted to hear how other Cisco folks would handle that issue in a Cisco environment. sorry if i through a wrench in the system with it being a brocade switch. but I wanted the education/logic from a Cisco point of view and then I would take that to another vendor device and see if it could be done. sorry for the confusion.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card