There are some different options, depending on how much you want to
complicate things.
"management-interface" command under "control-plane host"
Technically, this will not restrict the address that you are connecting to,
but which interface the connection is coming into.
So, traffic coming into G0/0 with destination of a loopback would still be
allowed.
Another option, though not as likely, would be to put everything else into
VRFs. (By default, management from a vrf interface is not allowed, unless
you have the "vrf-also" option specified on the access-class statement).
Putting all the other interfaces into a VRF would mess with your routing,
however.
Similarly, could be achieved with ZBF and policies to self, but that would
be a much more complex answer.
On Tue, Jul 6, 2010 at 6:00 AM, Brian Landers <brian_at_bluecoat93.org> wrote:
> Working through a Security practice lab and I'm drawing a blank on this
> one.
>
> * enable access control on R4 to allow management access via the R4 gi0/1
> interface only
>
> * management traffic to any other interfaces should be dropped
>
> * do not use interface access control list to achieve this task
>
> * do not use vty ACL to achieve this task
>
> R4 gi0/1 has a single host behind it (R3), which has a 0/0 route pointing
> to
> R4. So far, the only thing I'm coming up with is PBR to null route any
> traffic to interface IP's other than gi0/1, but without testing I'm not
> sure
> that will work to router-local traffic.
>
> B*
>
>
> --
> Brian C Landers
> http://www.packetslave.com/
> CCIE #23115
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 06 2010 - 06:19:24 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:14 ART