Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
3
Replies

Access to the router control plane through a VRF

Go to solution
K.v.Peer
Level 1
Level 1

‎10-06-2005 03:49 AM

Hi everybody,

Does anybody know the behaviour of the following commands on a Cisco PE (Cisco 10720):

ip telnet source-interface Loopback0

ip ssh source-interface Loopback0

Loopback0 is in the global routing table and hence not advertised into a VRF.

I would expect that these commands ensure that a user cannot establish telnet and/or SSH sessions towards the PE from within a VRF. I tested this theory and found out that this is not true. I can start an SSH session to the PE from within a VRF.

Does anybody in this forum have an idea if the router is behaving correctly?

Thx, Kees

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dknov
Level 3
Level 3

‎10-06-2005 09:40 AM

Hi Kees,

Setting source-interface on Telnet/SSH only effects Telnet/SSH sessions initiated from the router and they have no effect on sessions initiated to the router.

As to VRF part, what you're describing is strange. If Loopback interface IP is not included in VRF you should not be able to access it. Can you try and run "show ip route vrf " and see that you indeed to not see this IP in VRF routing table?

Other things might be that you have a VRF static route with "global" keyword, which perform lookups in global routing table for next-hop IP, which might be a 'doorway' for accessing this Loopback.

Anyhow, if you want to prevent VTY access, why don't you do the old fashioned way - ACL? :-)

David

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dknov
Level 3
Level 3

‎10-06-2005 09:40 AM

Hi Kees,

Setting source-interface on Telnet/SSH only effects Telnet/SSH sessions initiated from the router and they have no effect on sessions initiated to the router.

As to VRF part, what you're describing is strange. If Loopback interface IP is not included in VRF you should not be able to access it. Can you try and run "show ip route vrf " and see that you indeed to not see this IP in VRF routing table?

Other things might be that you have a VRF static route with "global" keyword, which perform lookups in global routing table for next-hop IP, which might be a 'doorway' for accessing this Loopback.

Anyhow, if you want to prevent VTY access, why don't you do the old fashioned way - ACL? :-)

David

0 Helpful

Go to solution
romccallum
Level 4
Level 4

‎10-07-2005 05:02 AM

you need to configure an access-class and apply it to your vty interface to stop people from accessing your routers. What you describe above is as already stated for telnet and ssh initiated from the PE router.

HTH

0 Helpful

Go to solution
K.v.Peer
Level 1
Level 1
In response to romccallum

‎10-09-2005 11:12 PM

Guys,

Thanks for your responses! Of course, we've placed acls on vty and customer interfaces. But Cisco's description of the 'source-interface' commands wasn't really clear to me, so that's why I asked. I would've expected that the router only 'listens' to incoming SSH sessions on loopback0, but apparently that's not the case.

Anyway thanks again for the responses. My question's answered!

Cheers,

Kees van Peer

0 Helpful
Customers Also Viewed These Support Documents