[c-nsp] Filtering telnet without ACL

Ben Steele ben.steele at internode.on.net
Fri Aug 1 19:54:55 EDT 2008


I like the answer from Iassen, while it does leave some question as to where 
the source packet comes from though as he has assumed local broadcast 
segment, I guess you could add to your answer should the packet be from 
beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic 
(or even a different router along the path mark it) to match in your class 
map on this router, that way you still avoid ACL's but meet the question 
requirements, that is a stupid way of doing it though as it's not very 
secure should someone learn the magic tos bit to use to get telnet access :)


----- Original Message ----- 
From: "Iassen Anadoliev" <korio at korio.org>
To: "Joost greene" <joost.greene at gmail.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Saturday, August 02, 2008 12:08 AM
Subject: Re: [c-nsp] Filtering telnet without ACL


>
> On Fri, August 1, 2008 4:14 pm, Joost greene wrote:
>> Hello,
>>
>> Someone challenged me with a question on how i can filter telnet access 
>> to
>> one router from all hosts except two of them WITHOUT using access-lists 
>> or
>> access-line under the VTY? any ideas?
>>
>> Regards,
>> Joost
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> Well if we assume that this is an ethernet network and the hosts are
> within our broadcast domain I think you can use MQC = NBAR something like:
>
> class-map match-all PERMIT_TELNET
> match protocol telnet
> match class-map PERMIT_TELNET_HOSTS
> exit
>
> class-map match-any PERMIT_TELNET_HOSTS
> match source-address mac xxx.xxx.xxx
> match source-address mac yyy.yyy.yyy
> exit
>
> class-map DENY_TELNET
> match protocol telnet
> exit
>
> policy-map IN_FE0/0
> class PERMIT_TELNET
> bandwidth remaining percent 100
> class DENY_TELNET
> drop
>
> int fastether0/0
> service-policy input IN_FE0/0
>
> -- 
> WWell by
> Iassen Anadoliev
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list