From: Darby Weaver (darbyweaver@yahoo.com)
Date: Tue May 15 2007 - 01:56:05 ART
My first question is how specific are the
requirements?
1. Is it just to restrict access to one particular ip
address or interface for instance.
2. Would it be helpful to employ change the ability of
all of the rest of the routers/switches in question to
only be able to use telnet via a certain interface -
say lo0 for instance. And I'll assume you are using
the same class c address spacing for all your lo0 -
big assumption - but I'll risk it.
3. Now the remains - where should we employ the
access-list? On the closes interface that would
restrict access from all of the other devices perhaps
or on all of them perhaps? Did we restrict or were we
permitted to restrict from lo0 or did we use f0/0 for
instance?
In any event suppose we use the access-list you have
suggested and that is all.
4. If you did, then I must ask did you have any
control plane traffic that needed to use that
interface? Which protocols? ICMP perhaps? Which ICMP
types in particular or in general? - I always try to
think of the control plane traffic.
5. If you were restricted to just telnet from those
addresses, then I might take another approach to the
problem - is it specifically from those routers or
telnet in general - maybe a combo of both perhaps...
Ever hear of:
line con 0
transport input telnet
transport output telnet or all or ssh etc.
OK - Just rambling...
Let's look at your actual acl:
> access-list 101 permit tcp any host 155.1.1.1 any
> eq telnet
> access-list 101 deny tcp any any eq telnet
> access-list 101 permit ip any any
> access-list 101 deny ip host 155.1.1.1 any
> access-list 101 permit ip any any
>
> int s0/0/0
> ip access-group 101 in
> ip access-group 101 out
OK... all over the field aka the "Shotgun Approach"
So let's say that the only interface that can be
reached by any of those routes is s0/0/0 on R1 -
otherwise I'd apply the acl on each interface that
might let one of those devices in. And I'd watch for
tunnels too.
int s0/0/0
ip access-group 101 in
Ought to do the trick.
==========================================
ip access-list 101 p tcp host R2 host 150.1.1.1 eq
telnet
ip access-list 101 p tcp host R4 host 150.1.1.1 eq
telnet
ip access-list 101 p tcp host R5 host 150.1.1.1 eq
telnet
ip access-list 101 p tcp host S1 host 150.1.1.1 eq
telnet
ip access-list 101 d tcp any host 150.1.1.1 eq telnet
ip access-list 101 p ip any any
(Now I might take a moment and include a line for each
interface's ip address on a per device basis just in
case I was not sure which interface they were coming
from). Otherwise you may be allowing their loop but
not allowing their serial or ethernet interface.
It's 1 am - did this answer the question? Did I miss
anything. I'm in the middle of a lab myself at the
moment. But hey my per-interface connectivity is a
go, meaning my vlan interfaces are working, my BB is
connected x3, my etherchannels are up and fram is 100%
and it took me... about 45 minutes... I also got my
routing protocol working on the main frame cloud
too... little issue with network type - but no
biggie...
Turn the console logging on - it is a wonderful thing.
OK - my rack calls...
--- H Wong <hwmwm123@yahoo.com> wrote:
> Guys,
>
> I'm trying to configure application level access
> control on only a few routers in my POD. I want to
> configure such that Telnet is only possible from a
> few routers and switches in the network (eg. R2, R4,
> R5 & SW1) to R1's loopback (155.1.1.1).
>
> What's the best way to do this. I have tried to do
> this with the following access list:
>
> access-list 101 permit tcp any host 155.1.1.1 any
> eq telnet
> access-list 101 deny tcp any any eq telnet
> access-list 101 permit ip any any
> access-list 101 deny ip host 155.1.1.1 any
> access-list 101 permit ip any any
>
> int s0/0/0
> ip access-group 101 in
> ip access-group 101 out
>
>
>
>
> ---------------------------------
> 8:00? 8:25? 8:40? Find a flick in no time
> with theYahoo! Search movie showtime shortcut.
>
>
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:21 ART