Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access to the router control plane through a VRF

Hi everybody,

Does anybody know the behaviour of the following commands on a Cisco PE (Cisco 10720):

ip telnet source-interface Loopback0

ip ssh source-interface Loopback0

Loopback0 is in the global routing table and hence not advertised into a VRF.

I would expect that these commands ensure that a user cannot establish telnet and/or SSH sessions towards the PE from within a VRF. I tested this theory and found out that this is not true. I can start an SSH session to the PE from within a VRF.

Does anybody in this forum have an idea if the router is behaving correctly?

Thx, Kees

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Access to the router control plane through a VRF

Hi Kees,

Setting source-interface on Telnet/SSH only effects Telnet/SSH sessions initiated from the router and they have no effect on sessions initiated to the router.

As to VRF part, what you're describing is strange. If Loopback interface IP is not included in VRF you should not be able to access it. Can you try and run "show ip route vrf " and see that you indeed to not see this IP in VRF routing table?

Other things might be that you have a VRF static route with "global" keyword, which perform lookups in global routing table for next-hop IP, which might be a 'doorway' for accessing this Loopback.

Anyhow, if you want to prevent VTY access, why don't you do the old fashioned way - ACL? :-)

David

3 REPLIES
New Member

Re: Access to the router control plane through a VRF

Hi Kees,

Setting source-interface on Telnet/SSH only effects Telnet/SSH sessions initiated from the router and they have no effect on sessions initiated to the router.

As to VRF part, what you're describing is strange. If Loopback interface IP is not included in VRF you should not be able to access it. Can you try and run "show ip route vrf " and see that you indeed to not see this IP in VRF routing table?

Other things might be that you have a VRF static route with "global" keyword, which perform lookups in global routing table for next-hop IP, which might be a 'doorway' for accessing this Loopback.

Anyhow, if you want to prevent VTY access, why don't you do the old fashioned way - ACL? :-)

David

Bronze

Re: Access to the router control plane through a VRF

you need to configure an access-class and apply it to your vty interface to stop people from accessing your routers. What you describe above is as already stated for telnet and ssh initiated from the PE router.

HTH

New Member

Re: Access to the router control plane through a VRF

Guys,

Thanks for your responses! Of course, we've placed acls on vty and customer interfaces. But Cisco's description of the 'source-interface' commands wasn't really clear to me, so that's why I asked. I would've expected that the router only 'listens' to incoming SSH sessions on loopback0, but apparently that's not the case.

Anyway thanks again for the responses. My question's answered!

Cheers,

Kees van Peer

186
Views
0
Helpful
3
Replies
CreatePlease to create content