Management Restriction

Unanswered Question
Feb 10th, 2017
User Badges:

Is it possible to lock down a device so it will only respond on a specified IP address and be transparent on the rest?


For example:


Say I have a switch operating at layer 3 with 3 VLAN's and corresponding interfaces in each for routing purposes,


VLAN 10 - 10.0.10.1

VLAN 11 - 10.0.11.1

VLAN 255 - 10.0.255.1

------------------------------------------------

In this case, I could SSH into the switch by connecting to any one of the three IP addresses (10.0.10.1, 10.0.11.1, or 10.0.255.1) and it would work, no difference between the mix. But say I wanted the switch although having these three interfaces and passing traffic, to only respond and be directly access able via VLAN 255 at 10.0.255.1, and anyone attempting to SSH, Telnet, HTTP, or HTTPS into the device would just get a connection timeout or no response.


Would this best be handled by creating an ACL to filter this traffic or is there something built into the Cisco IOS that will allow me to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Francesco Molino Fri, 02/10/2017 - 18:30
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2017 LAN, WAN

Hi

You can achieve that goal in 2 ways:

1. ACL + Control-Plane:

You can create an acl allowing ssh or telnet on the interface wanted. Within this acl you can specify the source subnet also. 

Then you'll need to create a policy-map with class-map classifying the traffic by using acl. (Don't forget to have the class-default allowing all others traffic). Then apply this policy-map to Control-Plane.


2. Using management capabilities with control-plane host.

To filter access on a specific interface for ssh or telnet, use commands below:

control-plane host
management-interface GigabitEthernet0/2 allow ssh telnet
!

Then you can create an acl (standard) that'll be applied on line vty to filter source authorized machines.


How that's clear enough.


Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question



ericdude101 Sat, 02/11/2017 - 17:10
User Badges:

I attempted to issue the control-plane command and it appears it is not part of the 3750x base IOS, also if I were to use either of these methods, I would need to create an ACL and apply it directly to each of the VLAN interfaces on the switch correct?

Francesco Molino Sat, 02/11/2017 - 18:37
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2017 LAN, WAN

I'm sorry I don't have access to any 3750x switches right now.

Which one isn't working?

 Is it the management-interface command under control-plane host?

The 1st one consist in typing in service-policy XXX under control-plane. Have you tried it?

To verify if supported on Cat3750x switches, you can take a look on Cisco IOS feature navigator.

If this isn't supported, then you'll need to create acl and apply it onto SVI. If CoPP working then no need to apply acl on SVI.


Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.

ericdude101 Sun, 02/12/2017 - 09:08
User Badges:

The control-plane command is not found. I did create am ACL and apply it to the VTY lines as shown below:


ip access-list extended VTY_ACCESS

10 permit tcp any host 10.0.255.1 eq 22

100 deny ip any any log


After doing this all connections are refused, and the log entry shows the switch is interpreting the packet as being sent to the default gateway instead of the IP, see below:

Feb 12 09:56:58.801: %SEC-6-IPACCESSLOGP: list VTY_ACCESS denied tcp 10.1.0.21(56167) -> 0.0.0.0(22), 1 packet

Francesco Molino Sun, 02/12/2017 - 10:46
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2017 LAN, WAN

With vty ACL you'll filter the source but not the destination of switch svi. 

You'll see 0.0.0.0 because when a packet is destined to the Control-Plane it is represented by 0.0.0.0 address.

You'll need to filter by using acl on svi.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

ericdude101 Mon, 02/13/2017 - 16:58
User Badges:

So basically I would need to create one ACL to block ssh, telnet, tftp, http, and https and apply that to each SVI that i dont want management access on.

Francesco Molino Mon, 02/13/2017 - 17:19
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2017 LAN, WAN

Yes but don't forget to add a permit for all other traffic.

Actions

This Discussion

Related Content