[c-nsp] Filtering telnet without ACL

Joost greene joost.greene at gmail.com
Mon Aug 11 04:36:33 EDT 2008


Ok, i thought this is a feature i dont know about :)

I guess the answer would be PBR with prefix-list.

Thank you all.

On Mon, Aug 11, 2008 at 11:21 AM, Saku Ytti
<saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> wrote:

> On (2008-08-11 11:13 +0300), Joost greene wrote:
>
> > I forgot to mention that the question said to limit telnet access to
> > loopback of two routers without using Access lists so i can see your
> answer
> > makes sense but what do you mean by MPLS LSR ?
>
> LSR = Label Switch(ing) Router. Essentially it's MPLS network core router,
> one of it's features by design is, that it does not need IP routes
> to Internet, it only needs IP routes to other core and edge routers.
>  So as you don't have route back to the chap telnetting to your box,
> telnet can not establish. To allow some hosts to telnet, simply make
> static route for those hosts towards some box which has route
> back to them.
>
>
> > Thanks,
> > Joost
> >
> > On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti
> > <saku+cisco-nsp at ytti.fi <saku%2Bcisco-nsp at ytti.fi><
> saku%2Bcisco-nsp at ytti.fi <saku%252Bcisco-nsp at ytti.fi>>
> > > wrote:
> >
> > > On (2008-08-01 15:14 +0200), Joost greene wrote:
> > >
> > > Hey,
> > >
> > > > Someone challenged me with a question on how i can filter telnet
> access
> > > to
> > > > one router from all hosts except two of them WITHOUT using
> access-lists
> > > or
> > > > access-line under the VTY? any ideas?
> > >
> > >  I assume challenge was set, because asker knows how to do it. If not,
> > > then I think challenge should be, how to make router output PONIES.
> > >  Anyhow, I think CoPP, rACL and policy-route would break the
> > > 'no acl' definition and wouldn't be acceptable solution.
> > >
> > >  I think what would fit the rule, is MPLS LSR where you'd only
> > > have route back to couple management hosts and others couldn't
> > > telnet to the box, simply because box doesn't have route to them.
> > >  Of course everyone in your IGP could telnet to the box also.
> > >
> > > --
> > >   ++ytti
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
>
> --
>   ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list