Hmm, the management-interface command only seems to be documented in a 12.4T
feature guide, not in the actual documentation itself? So far I can't find
it in the master index at all or in the CPP configuration guide using the
usual "if you can't figure it out, Ctrl-F and look for likely keywords"
strategy. Nice one, Cisco.
ZBF is one I hadn't considered. Good one!
A control plane host port-filter matching non-SSH traffic is probably where
I would have ended up (was doing this as a "paper lab" and for some reason
the "Securing the Control Plane" PDF isn't on my iPad).
Thanks all,
B*
On Tue, Jul 6, 2010 at 6:19 AM, Thad Swashesed <gfy.ccie_at_gmail.com> wrote:
> There are some different options, depending on how much you want to
> complicate things.
>
>
> "management-interface" command under "control-plane host"
>
> Technically, this will not restrict the address that you are connecting to,
> but which interface the connection is coming into.
>
> So, traffic coming into G0/0 with destination of a loopback would still be
> allowed.
>
>
> Another option, though not as likely, would be to put everything else into
> VRFs. (By default, management from a vrf interface is not allowed, unless
> you have the "vrf-also" option specified on the access-class statement).
> Putting all the other interfaces into a VRF would mess with your routing,
> however.
>
> Similarly, could be achieved with ZBF and policies to self, but that would
> be a much more complex answer.
>
>
>
>
>
> On Tue, Jul 6, 2010 at 6:00 AM, Brian Landers <brian_at_bluecoat93.org>wrote:
>
>> Working through a Security practice lab and I'm drawing a blank on this
>> one.
>>
>> * enable access control on R4 to allow management access via the R4 gi0/1
>> interface only
>>
>> * management traffic to any other interfaces should be dropped
>>
>> * do not use interface access control list to achieve this task
>>
>> * do not use vty ACL to achieve this task
>>
>> R4 gi0/1 has a single host behind it (R3), which has a 0/0 route pointing
>> to
>> R4. So far, the only thing I'm coming up with is PBR to null route any
>> traffic to interface IP's other than gi0/1, but without testing I'm not
>> sure
>> that will work to router-local traffic.
>>
>> B*
>>
>>
>> --
>> Brian C Landers
>> http://www.packetslave.com/
>> CCIE #23115
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
-- Brian C Landers http://www.packetslave.com/ CCIE #23115 Blogs and organic groups at http://www.ccie.netReceived on Tue Jul 06 2010 - 06:31:58 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART