Denying telnet traffic from VRF interfaces on the router

anasubra_2 · ‎04-03-2007

Hi,

We are currently trying to accomplish incomming telnet traffic from an VRF interface to be denied by the router(7613--IOS:12.2(18)SXF4). In the line vty , we have associated an access-class specifying the block should be allowed for inbound telnet connection to the router. This is working good but it also allows the incomming telnet from an VRF interface having the same block as the global table block which is configured for allowing the incomming telnet connection. We don't want to allow any telnet connection from the vrf interface , even though it matches the permit block in the access-list

Kindly note that, we have not specified vrf-also command on the access-class.

Please let us a way to accomplish the above requirement .

Thanking You

Regards

Anantha Subramanian Natarajan

gmarogi · ‎04-09-2007

To deny the Telnet traffic from the VRF interface configure an access list to deny all traffic which matches telnet port, also remember to permit all other traffic in the next line and apply the access list to the VRF interface.

anasubra_2 · ‎04-09-2007

Hi,

Thanks for the suggestion.

I think, I haven't made my requirement clear. We would not like applying access-list to the VRF interfaces to acheive this requirement bcos, then we may have to bind to all the VRF interfaces(I mean customer interfaces),we acting as service provider. We are looking the way by applying access-class binded to line vty ,which is common to all the telnet traffic.

Kindly let us know,if you have some suggestions on the same

Regards

Anantha Subramanian Natarajan

bbacola · ‎04-13-2007

You should have a seperate network block for management and only allow that subnet to access the vty port.

anasubra_2 · ‎04-13-2007

oh okk..thanks