Hi I was hopeing some one could explain how to do this.
I am trying to restrict my core switchs (4506's) to only accept incomming SSH and Telent (managment) traffic that is directed to a single ip interface.
I thought I could do this by placing a access list on the VTY lines that says
#access list 101 permit tcp any host 192.168.1.254 eq 22 log
#access list 101 permit tcp and host 192.168.1.254 eq 23 log
#access list 101 deny ip any any log
and simple assign that list inbound to the VTY interface.
however this then blocks all access to the VTY line? the log is as shown
Jan 8 11:41:54.247: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.5.25(4258) -> 0.0.0.0(22), 1 packet
So i can see what is happening becasue the 4506 is the default gate way for the 192.168.5.0 network, it is seeing the packet as directed to self and no to the 192.168.1.254 address.
My question is, is there any way around this. I was hoping to be able to restrict managment access to the 192.168.66.254 address,
I dont want to stop other sub nets being able to manage this swith, but they would all ahve to mange it through a single IP address. this switch may end up with many subnet interfaces and I would rather be able to say allow this interface and deny all others by default, than have to manualy deny all other interfaces one by one.
Any ideas how I can get this to work ?