Re: Telnet access outbound on VTY ports not sidestepped by from Peter Dervan on 2012-08-19 (Ccielab archives 08/2012)

From: Peter Dervan <petesccie_at_gmail.com>
Date: Sun, 19 Aug 2012 14:24:13 +0100

Thanks David, knew it was something simple!
ps- just tested with ACL under the interface instead of under VTY......
PBR trick does affect this traffic as expected. (ie: locally generated
traffic was only affected by ACL when PBR pointing to loopback was in
place via PBR.

Cheers
Peter

On 19/08/2012 14:10, David Prall wrote:
> Are you connected to the routers console? If so then you need to apply the
> access class to line con.
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Peter Dervan
> Sent: Sunday, August 19, 2012 9:02 AM
> To: ccielab_at_groupstudy.com
> Subject: Telnet access outbound on VTY ports not sidestepped by local PBR?
>
> Hi guys,
> Very small question regarding applying local PBR to a router. I have
> seen (& tested) that if you want to test, for example, reflexive ACL's
> on a router, using traffic generated by the router..... one way to get
> this working is to setup a PBR matching all traffic, & send to a
> loopback interface. I think we have all seen this "trick" before for
> various testing of security services etc (i think same applied to ip
> inpsect etc?).
> My question is relating this trick/tactic to restricting telnet traffic
> outbond under the VTY lines using "access-class 23 out" for example. I
> know this command only usually applies to telnet traffic that is
> initiated from a user who is telnetted into the router. I tried getting
> around this by using the PBR "trick" mentioned already, and it did not
> work. My telnet traffic was not affected by the ACL in place. Can anyone
> explain why this didnt work? I'm sure its probably very simple, but i
> was expecting the access-class command to take affect once i enabled a
> local PBR and bounced traffic to a loopback first.
>
> any words of wisdom much appreciated as usual...
>
> Pete (Ireland)
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Aug 19 2012 - 14:24:13 ART

This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART