[c-nsp] vty access-list

[Fred Reimer]

If the device supports CPP can't you put an ACL on the
control-plane to handle all interfaces at once?

Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron
Daubman
Sent: Thursday, September 13, 2007 10:58 AM
To: C and C Dominte
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] vty access-list

Catalin,

...
> Is this a normal behavior of the IOS, to block access to all
the ip's, including to the one that is supposed to be allowed?

While not explicitly called out, I believe the intent is to use a
'standard' access list with one's vty access-class statements.
To
that end, an extend list that specifies a destination as well as
a
source will deny all traffic.

I would hazard a guess that this is due to the fact the one's
destination is no-longer the external interface IP address used
to
reach the router at this point, but rather the internal VTY...  I
believe the only way to restrict SSH access to a specific IP on
the
router is to apply the appropriate extended access list entries
to
each router interface, which, given enough processing overhead,
is
probably a good idea anyway...

See:
http://www.cisco.com/en/US/products/ps6441/products_configuration
_guide_chapter09186a0080716ec2.html
for the implied restriction to use only standard access lists...

Regards,
     ~Aaron
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20070913/063efc6c/attachment-0001.bin