Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Shutting down Management Access on a Subinterface

Can you disallow any and all access to a router, ie telnet, ssh etc on a subinterface without effecting anything else? like you can shut off access to CON0? This is to prevent access to the router from a VLAN subinterface on a wireless network..

  • Other Network Infrastructure Subjects
11 REPLIES

Re: Shutting down Management Access on a Subinterface

to shut down telnet access.

access-list 1 deny any

line vty 0 4

access-class 1 in.

ssh is not enabled by default, unless u configur eit, so i think u dont need to restrict that access.

New Member

Re: Shutting down Management Access on a Subinterface

Hi thanks for the reply but I dont want to shut down telnet access to the entire device only a sub-interface.. ie Fastethernet 0/0.5 so that devices in the attached vlan cannot access the device. as that is thier which is thier default gateway and the only place they can currenlyt access the router from.

Re: Shutting down Management Access on a Subinterface

t

Re: Shutting down Management Access on a Subinterface

Hi,

what about

access-list 199 deny ip any host A.B.C.D

int fa 0/0.5

IP address A.B.C.D ......

access-group 199 in

To be absolutely sure you should add additional line

access-list 199 deny ip any host W.X.Y.Z.

for all other router subinterfaces

(otherwise the users would be able to telnet to other subinterface if they were smart.)

Regards,

Milan

New Member

Re: Shutting down Management Access on a Subinterface

WOW guys I have to disagree. Those access lists you gave him will restrict ALL traffic....he only wants to block Telnet. Try this instead:

access-list 101 deny tcp any any eq 23

access-list 101 permit ip any any

interface FA 0/0.5

ip access-group 101 in

Re: Shutting down Management Access on a Subinterface

Hi,

I think it's better to block ALL the traffic from user PCs to the switch.

If he really wants to block Telnet only, no problem to modify the access list.

BUT your access list would block Telnet to ANYWHERE not only to the switch.

Regards,

Milan

New Member

Re: Shutting down Management Access on a Subinterface

True..... which could be modified to

access-list 101 deny tcp host x.x.x.x any eq 23

where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.

New Member

Re: Shutting down Management Access on a Subinterface

Hi Guys this one looks good.. The reason for this is that one subinterface in questions is on a wireless subnet and I want to disallow any communication to these devices other than traffic. would somthing like transport input none work like you would use on a line command? I wish there was a command like no management int or something..

thnaks for the input it has helped greatly..

Re: Shutting down Management Access on a Subinterface

It should be

access-list 101 deny tcp ANY host x.x.x.x eq 23

where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.

There should also be

access-list 101 permit ip any any

at the end.

But I still think it's better to filter out ALL the user traffic going to the router (i.e. not to put "eq 23" to the access list lines). This would prevent possible DoS attacks.

Regards,

Milan

132
Views
0
Helpful
11
Replies