06-04-2003 12:06 PM - edited 03-02-2019 07:53 AM
Can you disallow any and all access to a router, ie telnet, ssh etc on a subinterface without effecting anything else? like you can shut off access to CON0? This is to prevent access to the router from a VLAN subinterface on a wireless network..
06-04-2003 12:38 PM
to shut down telnet access.
access-list 1 deny any
line vty 0 4
access-class 1 in.
ssh is not enabled by default, unless u configur eit, so i think u dont need to restrict that access.
06-04-2003 12:45 PM
Hi thanks for the reply but I dont want to shut down telnet access to the entire device only a sub-interface.. ie Fastethernet 0/0.5 so that devices in the attached vlan cannot access the device. as that is thier which is thier default gateway and the only place they can currenlyt access the router from.
06-04-2003 01:03 PM
t
06-04-2003 11:44 PM
Hi,
what about
access-list 199 deny ip any host A.B.C.D
int fa 0/0.5
IP address A.B.C.D ......
access-group 199 in
To be absolutely sure you should add additional line
access-list 199 deny ip any host W.X.Y.Z.
for all other router subinterfaces
(otherwise the users would be able to telnet to other subinterface if they were smart.)
Regards,
Milan
06-07-2003 02:55 AM
WOW guys I have to disagree. Those access lists you gave him will restrict ALL traffic....he only wants to block Telnet. Try this instead:
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
interface FA 0/0.5
ip access-group 101 in
06-08-2003 11:00 PM
Hi,
I think it's better to block ALL the traffic from user PCs to the switch.
If he really wants to block Telnet only, no problem to modify the access list.
BUT your access list would block Telnet to ANYWHERE not only to the switch.
Regards,
Milan
06-09-2003 01:22 AM
True..... which could be modified to
access-list 101 deny tcp host x.x.x.x any eq 23
where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.
06-09-2003 03:07 AM
Hi Guys this one looks good.. The reason for this is that one subinterface in questions is on a wireless subnet and I want to disallow any communication to these devices other than traffic. would somthing like transport input none work like you would use on a line command? I wish there was a command like no management int or something..
thnaks for the input it has helped greatly..
06-09-2003 03:22 AM
It should be
access-list 101 deny tcp ANY host x.x.x.x eq 23
where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.
There should also be
access-list 101 permit ip any any
at the end.
But I still think it's better to filter out ALL the user traffic going to the router (i.e. not to put "eq 23" to the access list lines). This would prevent possible DoS attacks.
Regards,
Milan
06-09-2003 06:50 AM
Yes I agreee all should be blocked.. But will this only block traffic to the router not through it correct? then I can add the rest of my access list to the inbound interface to manage through put traffiic such as . wouldthis work..
permit icmp 10.16.152.16 0.0.0.15 host 10.16.118.5
permit tcp 10.16.152.16 0.0.0.15 host 10.16.118.5 eq telnet
permit ip host 10.64.152.10 10.16.30.0 0.0.1.255
permit ip host 10.64.152.10 host 10.16.101.17
deny ip any host 10.32.32.1
deny ip any any
thanks again
06-09-2003 06:55 AM
Yes, it should work this way.
Regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide