cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1141
Views
0
Helpful
7
Replies

Management Restriction

ericdude101
Level 1
Level 1

Is it possible to lock down a device so it will only respond on a specified IP address and be transparent on the rest?

For example:

Say I have a switch operating at layer 3 with 3 VLAN's and corresponding interfaces in each for routing purposes,

VLAN 10 - 10.0.10.1

VLAN 11 - 10.0.11.1

VLAN 255 - 10.0.255.1

------------------------------------------------

In this case, I could SSH into the switch by connecting to any one of the three IP addresses (10.0.10.1, 10.0.11.1, or 10.0.255.1) and it would work, no difference between the mix. But say I wanted the switch although having these three interfaces and passing traffic, to only respond and be directly access able via VLAN 255 at 10.0.255.1, and anyone attempting to SSH, Telnet, HTTP, or HTTPS into the device would just get a connection timeout or no response.

Would this best be handled by creating an ACL to filter this traffic or is there something built into the Cisco IOS that will allow me to do this?

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

Hi

You can achieve that goal in 2 ways:

1. ACL + Control-Plane:

You can create an acl allowing ssh or telnet on the interface wanted. Within this acl you can specify the source subnet also. 

Then you'll need to create a policy-map with class-map classifying the traffic by using acl. (Don't forget to have the class-default allowing all others traffic). Then apply this policy-map to Control-Plane.

2. Using management capabilities with control-plane host.

To filter access on a specific interface for ssh or telnet, use commands below:

control-plane host
management-interface GigabitEthernet0/2 allow ssh telnet
!

Then you can create an acl (standard) that'll be applied on line vty to filter source authorized machines.

How that's clear enough.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I attempted to issue the control-plane command and it appears it is not part of the 3750x base IOS, also if I were to use either of these methods, I would need to create an ACL and apply it directly to each of the VLAN interfaces on the switch correct?

I'm sorry I don't have access to any 3750x switches right now.

Which one isn't working?

 Is it the management-interface command under control-plane host?

The 1st one consist in typing in service-policy XXX under control-plane. Have you tried it?

To verify if supported on Cat3750x switches, you can take a look on Cisco IOS feature navigator.

If this isn't supported, then you'll need to create acl and apply it onto SVI. If CoPP working then no need to apply acl on SVI.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

The control-plane command is not found. I did create am ACL and apply it to the VTY lines as shown below:

ip access-list extended VTY_ACCESS

10 permit tcp any host 10.0.255.1 eq 22

100 deny ip any any log

After doing this all connections are refused, and the log entry shows the switch is interpreting the packet as being sent to the default gateway instead of the IP, see below:

Feb 12 09:56:58.801: %SEC-6-IPACCESSLOGP: list VTY_ACCESS denied tcp 10.1.0.21(56167) -> 0.0.0.0(22), 1 packet

With vty ACL you'll filter the source but not the destination of switch svi. 

You'll see 0.0.0.0 because when a packet is destined to the Control-Plane it is represented by 0.0.0.0 address.

You'll need to filter by using acl on svi.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

So basically I would need to create one ACL to block ssh, telnet, tftp, http, and https and apply that to each SVI that i dont want management access on.

Yes but don't forget to add a permit for all other traffic.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: