[c-nsp] Filtering telnet without ACL
Saku Ytti
saku+cisco-nsp at ytti.fi
Mon Aug 11 04:21:43 EDT 2008
On (2008-08-11 11:13 +0300), Joost greene wrote:
> I forgot to mention that the question said to limit telnet access to
> loopback of two routers without using Access lists so i can see your answer
> makes sense but what do you mean by MPLS LSR ?
LSR = Label Switch(ing) Router. Essentially it's MPLS network core router,
one of it's features by design is, that it does not need IP routes
to Internet, it only needs IP routes to other core and edge routers.
So as you don't have route back to the chap telnetting to your box,
telnet can not establish. To allow some hosts to telnet, simply make
static route for those hosts towards some box which has route
back to them.
> Thanks,
> Joost
>
> On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti
> <saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> > wrote:
>
> > On (2008-08-01 15:14 +0200), Joost greene wrote:
> >
> > Hey,
> >
> > > Someone challenged me with a question on how i can filter telnet access
> > to
> > > one router from all hosts except two of them WITHOUT using access-lists
> > or
> > > access-line under the VTY? any ideas?
> >
> > I assume challenge was set, because asker knows how to do it. If not,
> > then I think challenge should be, how to make router output PONIES.
> > Anyhow, I think CoPP, rACL and policy-route would break the
> > 'no acl' definition and wouldn't be acceptable solution.
> >
> > I think what would fit the rule, is MPLS LSR where you'd only
> > have route back to couple management hosts and others couldn't
> > telnet to the box, simply because box doesn't have route to them.
> > Of course everyone in your IGP could telnet to the box also.
> >
> > --
> > ++ytti
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
--
++ytti
More information about the cisco-nsp
mailing list