Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5333
Views
25
Helpful
10
Replies

Management Interface restriction

Patrick McHenry
Level 4
Level 4

‎05-20-2013 06:38 AM - edited ‎03-07-2019 01:27 PM

Hi,

we are creating a remote site with several VLANs. We want to create a Management VLAN for the new site and only want management through that Management interface but, we want to get away from creating an access-list blocking SSH, Telnet to the other VLAN interfaces.

Is there an elegant way of doing this? Without using an access-list?

Maybe a command on the VLAN interface to block Management access?

Thank you

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Peter Paluch
Cisco Employee
Cisco Employee

‎05-20-2013 08:22 AM

Hi Patrick,

Some platforms recognize the control-plane host and management-interface commands that limit the selected management traffic just to the particular selected interface. See the following transcript:

Router(config)#control-plane host
Router(config-cp-host)#management-interface ?
  Dialer        Dialer interface
  FastEthernet  FastEthernet IEEE 802.3
  MFR           Multilink Frame Relay bundle interface
  Multilink     Multilink-group interface
  Port-channel  Ethernet Channel of interfaces
  Serial        Serial
  Tunnel        Tunnel interface
  XTagATM       Extended Tag ATM interface
  vmi           Virtual Multipoint Interface
Router(config-cp-host)#management-interface fa0/0 ?
  allow  Allowed network management protocols on selected interface
Router(config-cp-host)#management-interface fa0/0 allow ?
  beep    Beep Protocol
  ftp     File Transfer Protocol
  http    HTTP Protocol
  https   HTTPS Protocol
  snmp    Simple Network Management Protocol
  ssh     Secure Shell Protocol
  telnet  Telnet Protocol
  tftp    Trivial File Transfer Protocol
  tl1     Transaction Language Session Protocol
  tls     Transport Layer Security Protocol
  
Router(config-cp-host)#management-interface fa0/0 allow ssh ?
  beep    Beep Protocol
  ftp     File Transfer Protocol
  http    HTTP Protocol
  https   HTTPS Protocol
  snmp    Simple Network Management Protocol
  telnet  Telnet Protocol
  tftp    Trivial File Transfer Protocol
  tl1     Transaction Language Session Protocol
  tls     Transport Layer Security Protocol
 

If your devices support this type of configuration then it should be fairly easy to limit the remote access to just a single VLAN represented by the selected SVI.

Best regards,

Peter

Patrick McHenry
Level 4
Level 4
In response to Peter Paluch

‎05-20-2013 08:41 AM

Thanks, Peter.

I don't see an option for a VLAN interface though on your sample.

Also, my switch don't have the Control-plane command - I'm configuring 3750X-48P switches.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Patrick McHenry

‎05-20-2013 08:46 AM

Hi Patrick,

There is no Vlan interface in my example because the router I took out the transcript from did not have a switching module installed, so there are no Vlan interface on that device at all.

I was afraid that this command will not be available on your devices. Hmmm, to be honest, I do not see any easy way of protecting the management access apart from ACLs (standard ACLs should suffice) used on line vty as access-class in. Then again, doing this should not be complicated at all. Do you have any specific reason why you want to avoid ACLs?

Best regards,

Peter

Patrick McHenry
Level 4
Level 4
In response to Peter Paluch

‎05-20-2013 08:54 AM

Thanks, Peter

No, there is no reason other than I would like to keep the configs a little cleaner. We have an ACL that we use for SNMP so, I guess we can use one for management. I was hoping there was a more elegant way of doing this.

Thanks for your help, Pat.

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎05-20-2013 09:44 AM

Hello, you could always use Peter's suggestion which personally I would implement and consider far more cleaner than applying an ACL to an interface .....

For example

=======================================

SSH access:

Ip access-list standard Cisco_Support_SSH
Permit 10.0.0.1 log
!
Line vty 0 15
Transport input ssh
Access-class Cisco_Support_SSH in

=======================================

This is only allowing 10.0.0.1 to SSH in

For SNMP you could do this?

=======================================

Ip access-list standard Cisco_Support_SNMP
permit 10.1.1.1 log
!
Snmp-server community Cisco RO Cisco_Support_SNMP
Snmp-server community lie RW Cisco_Support_SNMP

=======================================

With this you do not need complex extended ACLs on your interfaces or any ACL with running the risk of blocking traffic inadvertently that should be permitted.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Bilal Nawaz

‎05-20-2013 09:52 AM

Just had a thought - normally you have a 'VRF' these days that are applied to the management interfaces. This would probably be better if you want to totally segregate management traffic.

Within this VRF you could have just a single route that routes back to your 'Admin' network where administrators reside?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Patrick McHenry
Level 4
Level 4
In response to Bilal Nawaz

‎05-20-2013 10:01 AM

Bilal -

Is your access-list only permiting traffic from 10.0.0.1 to SSH in or only permiting hosts to SSH into the switch using 10.0.0.1?

I want to make sure that only the Management interface is allowed to be SSHed into. I'm not concerned so much with the source. I think restricting access from only one host would be too restrictive.

Also - could you expand on VRF?

Thank you

0 Helpful

sreesatya
Level 1
Level 1
In response to Bilal Nawaz

‎05-20-2013 10:37 AM

Hi Bilal, could you please expand on 'VFL'

Thanks

Sent from Cisco Technical Support iPhone App

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to sreesatya

‎05-20-2013 11:14 AM

Hello, A VRF (Virtual routing and forwarding) is a technology that allows one to create multiple instances of a routing table within the same router. This kind of adds the logic that - an interface Belongs to the VRF and with its own routing table. And then we could SSH in through the VRF interface.

However, rather unfortunately, with some switches it may not be supported and would require some sort of IP Services. So I wouldn't bother looking at this path much longer. (Note that newer devices come with this functionality out the box with a dedicated management interface)

Although it works really well with routers.

Im not so sure if you can restrict the devices to only allow a certain interface to be SSH'ed to (very interested to know of another way) - apart from ACL's i guess.... Rather than restricting one host, you can restrict to a network. The single IP was just as an example.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Patrick McHenry
Level 4
Level 4
In response to Bilal Nawaz

‎05-20-2013 01:39 PM

Thanks Bilal - I would imagine the vrf is supported on the 3750x with ipservicves image. that is what we are deploying.

The management interface that is on the 3750x is cool but the only use I see for it would be for a DMZ switch. And I 've used it for that purpose. It's a copper interface and we would run into distance limitations. I guess I could deny port 22 on all VLAN interface address except for the Management VLAN interface.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents