Re: Telnet Control

Hi,

I guess I am missing something but we need to define a
class-map-correct? But the class map can match a protocol like telnet
and also an ip access-list (but not prefix-list)? But then the
access-list would violate the RACL rule as Splinter stated?

Just missing some concept or misread something possibly.

Thanks
Rich

On Wed, May 27, 2009 at 1:15 PM, Scott Morris <swm_at_emanon.com> wrote:
> Absolutely. Match all in mqc class, nbar + prefix list. Good stuff.
>
>
>
>
> *Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,
>
> JNCIE-M #153, JNCIS-ER, CISSP, et al.
>
> CCSI #21903, JNCI-M, JNCI-ER
>
> swm_at_emanon.com
>
>
> Knowledge is power.
>
> Power corrupts.
>
> Study hard and be Eeeeviiiil......
>
>
>
> Joe Astorino wrote:
>> What about using a prefix-list instead : )
>>
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347 (R&S)
>> Sr. Support Engineer IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> -----Original Message-----
>> From: Splinter <splinter330_at_gmail.com>
>>
>> Date: Wed, 27 May 2009 20:05:40
>> To: <jastorino_at_ipexpert.com>
>> Cc: CCIE Groupstudy<ccielab_at_groupstudy.com>
>> Subject: Re: Telnet Control
>>
>>
>> Hi all,
>>
>> sorry did not elaborate on the question,
>>
>> it should have said that telnet needs to be sourced from the loopback
>> interfaces only.
>>
>> NBAR will drop all telnet traffic and would not work in this regards.
>>
>> I think that you can only use MQC with acls then.
>>
>> Splinter
>>
>> On Wed, May 27, 2009 at 7:58 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:
>>
>>
>>> Well I certainly agree with Ryan's solution too!
>>>
>>> Regards,
>>>
>>> Joe Astorino
>>> CCIE #24347 (R&S)
>>> Sr. Support Engineer IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>> ------------------------------
>>> *From*: Splinter
>>> *Date*: Wed, 27 May 2009 19:54:39 +0200
>>> *To*: <jastorino_at_ipexpert.com>
>>> *Subject*: Re: Telnet Control
>>> Sorry Joe,
>>>
>>> did not mention that you must only allow from certain interfaces.
>>>
>>> Splinter
>>>
>>> On Wed, May 27, 2009 at 7:51 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:
>>>
>>>
>>>> Hmmmmmm "no transport input telnet" for NO connections.
>>>>
>>>>
>>>> ------Original Message------
>>>> From: Splinter
>>>> Sender: nobody_at_groupstudy.com
>>>> To: CCIE Groupstudy
>>>> ReplyTo: Splinter
>>>> Subject: Telnet Control
>>>> Sent: May 27, 2009 1:32 PM
>>>>
>>>> Hi,
>>>>
>>>> is there any other way to configure telnet access control without using
>>>> acls.
>>>>
>>>>
>>>> i know it can be done with MQC but then you will be using acls to
>>>> accomplish
>>>> this task.
>>>>
>>>> any feedback would be great.
>>>>
>>>> Splinter
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Joe Astorino
>>>> CCIE #24347 (R&S)
>>>> Sr. Support Engineer IPexpert, Inc.
>>>> URL: http://www.IPexpert.com
>>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu May 28 2009 - 12:26:59 ART