10-12-2008 03:06 AM - edited 03-06-2019 01:53 AM
Dear all,
I have a PC in VLAN 242, VLAN 242(management server vlan) is only routed on firewall. The Switch/Router Management should routed in firewall too, to prevent that users can connect to the router e.g. . Router management is in VLAN 2. On the router i make policy based routing. So all traffic from the ip range 10.1.2.0 /24 (VLAN2) go to Firewall.
I checked with ping and traceroute everything "goes" like i want. when i make a telnet it is not working.
I change the firewall and take a router. it is not working too.
Have anyone an idea...I don't know why this works so strange...
konfig:
Router or Firewall. on switch inter-vlan routing
DF 10.1.242.20
DF 10.1.2.20
On switch-L3 or router which i want manage.
route-map routing_management, permit, sequence 10
Match clauses:
ip address (access-lists): tt
Set clauses:
ip next-hop 10.1.2.20
Policy routing matches: 7116 packets, 665966 bytes
SW-10#
Extended IP access list tt
10 permit ip 10.1.2.0 0.0.0.255 any (596 matches)
PS: i could do the management server in the same subnet, but for other locations which i manage from this server i have the same problem.
And when i don't use policy-based routing, the Switch-L3/router would use this default gateway and the firewall would say "spoofing" wrong ip on this interface..
thanks in advance
10-12-2008 03:34 AM
Hello Sebastian,
cisco routers and switches allow to use an ACL to limit from what ip addresses a telnet session can be accepted.
example:
access-list 25 permit 10.1.2.0 0.0.0.255
! under the line vty range apply
! the standard ACL with the access-class
! command:
line vty 0 4
access-class 25 in
you don't need to play with PBR to implement a control on telnet access to network devices.
PBR doesn't behave as expected on locally generated packets (inside the device) these are by default not processed by PBR.
There is a specific command to be given in global config:
ip local policy route-map
see
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1012417
But for this scenario the access-class command is the best solution: it is simple and works.
On FW allows full access: the control is implemented on each device as described above
Hope to help
Giuseppe
10-12-2008 07:53 AM
Hi Giuseppe,
thanks for the answer.
I already set the loca policy....
I see all thinks like you, the telnet access was only a example.
In the moment I#m not sure if the security concept of the colleauge before me (now security officer) is a good one.
I will think about it...
Thank you very much.
Sebastian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide