[c-nsp] suddenly lost telnet connection in switch

Justin Shore justin at justinshore.com
Fri Dec 12 14:49:43 EST 2008


To restate what Robert said, pretend that there is an invisible 'deny ip 
any any' at the end of every extended ACL (or 'deny any' for standard 
ACLs).  Anything not explicitly permitted is denied by the invisible 
deny ACE at the end.  Personally I always add my own deny all ACE so I 
have a counter to see that I am rejecting packets.  I can also have it 
log as needed.  As Robert explained, you omitted the permit ACE for 
telnet and so the invisible deny statement came into effect and dropped 
your telnet packets.

Personally I never filter traffic destined to my equipment like that.  I 
rely on the ACL-using abilities of the individual internal processes to 
protect themselves.  For example to restrict VTY access you can use:

line vty 0 15
  access-class 110 in

VTY access-classes can use standard or extended ACLs.

For your web management server explicitly disable the HTTP server and 
then enable the HTTPS server

no ip http server
ip http secure-server
ip http access-class XXX

Note that you must you a standard ACL for filtering connections to the 
web server so you'll need another ACL for your HTTP(S) server.

Ditto for SNMP:

snmp-server community STRING ro XXX

It too requires a standard ACL.

You can also use ACLs to secure other protocols, NTP for example.


Personally I have one ACL for SNMP access (2 ACLs if I have to separate 
read-only and read-write access), another for HTTPS access which I 
rarely enable anyway, another for VTY access, and 1 or 2 for NTP access 
depending on what NTP function the device serves.  You can also filter 
at the control-plane with CoPP but I haven't set it up yet.

Justin


Teller, Robert wrote:
> Try this
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp 172.16.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp 10.0.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp [ip address] [Vlan 1 ip] eq telnet
>     deny tcp any eq www any log
> 
> 
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 any eq www
>     permit tcp 172.16.0.0 0.255.255.255 any eq www
>     permit tcp 10.0.0.0 0.255.255.255 any eq www
>     deny tcp any eq www any
>     deny tcp any eq www any log [your log is after your www deny so it
> won't log anything]
> 
> You should be using https and ssh instead of http and telnet.
> 
> When using an access-list all traffic is explicitly denied.
> 
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
> Sent: Friday, December 12, 2008 11:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] suddenly lost telnet connection in switch
> 
> Hi 
>    
>   I am doing the following access-list for www to restrict to switch
> http access
>   but when I apply it in the interface, i suddenly lost telnet
> connection.
>   Why?
>    
>    
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 any eq www
>     permit tcp 172.16.0.0 0.255.255.255 any eq www
>     permit tcp 10.0.0.0 0.255.255.255 any eq www
>     deny tcp any eq www any
>     deny tcp any eq www any log
>   
> switch(config)#interface VLAN1
>   switch(config-if)#ip access-group 110 in
> switch(config-if)#
> 
> 
>        
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged, 
> confidential and protected from disclosure.  This transmission is intended for the sole 
> use of the individual and entity to whom it is addressed.  If you are not the intended 
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
> think that you have received this message in error, please e-mail the sender at the above 
> e-mail address.
> #########################################################
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list