cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8580
Views
25
Helpful
8
Replies

Restricting telnet/ssh access to loopback address

boxhallbr
Level 1
Level 1

Hi,

I've been requested to restrict telnet/ssh access to the loopback address only.

I've been attempting to do this using access lists however the access lists either block access to all interfaces or allows access to no interfaces.

Any and all help in this is appreciated.

Below are the configs I have been trying. This is for telnet only.

! loopback address I want to restrict access to

interface Loopback0

ip address 10.20.254.1 255.255.255.255

! interface not to be able to telnet to

interface FastEthernet0/0

ip address 10.20.10.1 255.255.255.0

!access-list 101 in is applied to line vty 0 4

line vty 0 4

access-class 101 in

!Below gets to both interfaces

access-list 101 perm tcp any any eq telnet

access-list 101 deny tcp any any

sh access-list 101

Extended IP access list 101

10 permit tcp any any eq telnet (4 matches)

20 deny tcp any any

!The below stopped both interfaces being accessed.

access-list 101 perm tcp any host 10.20.254.1 (loopback address) eq telnet

access-list 101 deny tcp any any

sh access-l 101

Extended IP access list 101

10 permit tcp any host 10.20.254.1 eq telnet

20 deny tcp any any (2 matches)

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

You can do this with control-plane policing (CoPP). For example:

access-list 101 deny tcp any host 10.20.254.1 eq telnet

access-list 101 permit tcp any any eq telnet

access-list 101 deny ip any any

class-map match-all matchtelnet

match access-group 101

policy-map filtertelnet

class matchtelnet

drop

control-plane

service-policy input filtertelnet

Note: the ACL above looks like the opposite of what you want, but really you're matching traffic you do NOT want, then dropping it in the policy-map.

The net effect will be that all TCP traffic is allowed to this device OTHER than tcp/23 traffic unless the destination address is 10.20.254.1.

Fantastic. I'm still trying to get my head around it but it works. Need to look at the backward logic.

Thanks for help.

Hi,

You supplied the above answer last month and, when I tested it on a 1841 router it worked fine.

My problem is when I tried to apply it to a 3750 layer 3 switch. The drop command on the policy-map didn't take nor did the service-policy input command on the control-plane (output below).

Any and all help will be appreciated.

router(config-cmap)#policy-map filtertelnet

router(config-pmap)#class matchtelnet

router(config-pmap-c)#drop

^

% Invalid input detected at '^' marker.

router(config-pmap-c)#

router(config-pmap-c)#control-plane

router(config-cp)#service-policy input filtertelnet

QoS: policymap is supported on physical, VLAN, and ES interfaces only

Service Policy attachment failed

error: failed to install policy map filtertelnet

router(config-cp)#

Control-plane policing is not supported on the 3750 platform. This solution will not work there.

Thanks.

Is there any other way of restricting remote access to single interfaces on the 3750 switches?

Interface ACLs are the only other way to go. Create an ACL that only permits telnet to the desired interface, then apply it to all IP interfaces on the switch.

Joe,

Tested the access list on a test box and it work fine. Before I start applying it on all devices thought I would get you to have a quick look.

Does the below look correct?

Want to connect to IP address 10.1.112.5.

ip access-list extended RemoteAccess

permit tcp any host 10.1.112.5 eq telnet

deny tcp any any eq telnet

permit ip any any

Then apply the access list

interface Vlan210

ip address 10.2.112.5 255.255.252.0

ip access-group RemoteAccess in

!

interface Vlan410

ip address 10.1.112.5 255.255.252.0

ip access-group RemoteAccess in

!

Thanks again for your help.

This looks okay to me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco