[c-nsp] Filtering telnet without ACL
Iassen Anadoliev
korio at korio.org
Fri Aug 1 10:38:55 EDT 2008
On Fri, August 1, 2008 4:14 pm, Joost greene wrote:
> Hello,
>
> Someone challenged me with a question on how i can filter telnet access to
> one router from all hosts except two of them WITHOUT using access-lists or
> access-line under the VTY? any ideas?
>
> Regards,
> Joost
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
Well if we assume that this is an ethernet network and the hosts are
within our broadcast domain I think you can use MQC = NBAR something like:
class-map match-all PERMIT_TELNET
match protocol telnet
match class-map PERMIT_TELNET_HOSTS
exit
class-map match-any PERMIT_TELNET_HOSTS
match source-address mac xxx.xxx.xxx
match source-address mac yyy.yyy.yyy
exit
class-map DENY_TELNET
match protocol telnet
exit
policy-map IN_FE0/0
class PERMIT_TELNET
bandwidth remaining percent 100
class DENY_TELNET
drop
int fastether0/0
service-policy input IN_FE0/0
--
WWell by
Iassen Anadoliev
More information about the cisco-nsp
mailing list