I have a service provider network with multiple public vrfs and some private vpns also. We liked the design of this it seemed to keep the public routing completely separate from the core routing. However it seems there is an awkward do to shut, as if we set a public addressed sub-interface for a customer ssh access is available. We want to keep ssh access around out network, so have filtered out who can access using acl on the vty, say to 10.x.x.x
However we also have some private vpns, so I could quite easily set 10.x.x.x addressing which would allow people to attempt ssh access.
So basically, what is the best way to completely drop all telnet/ssh access to sub-interfaces on a per vrf basis, i.e. if you are in this vrf, regardless of IP, you cannot ever see telnet/ssh ports filtered/closed or otherwise?
Many thanks for the reply. Unfortunately this will restrict telnet through the interface - we want to allow our customers to use any application through our router. So we can do:
10 deny tcp any 10.x.x.x eq telnet
20 permit ip any any
And apply this to the interface. However if we give a customer a couple of private vpn to route between, we need a sub-interface which could overlap with this address, so be of security interest, and also presumably is open to spoofing.
What I am looking for, if it exists, is to completely disable telnet/ssh services on an interface, not necessarily by ip access list.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...