[c-nsp] acess-list

Peter Rathlev peter at rathlev.dk
Thu Oct 30 09:47:48 EDT 2008


On Thu, 2008-10-30 at 07:31 -0500, Pete Templin wrote:
> What about the reverse logic, putting a tighter ACL on higher VTYs? 
> I've heard of this as a safety valve: if too many connections are open 
> to a router, the last few connections have to come from a key point.

Agreed, that's not a bad idea. We had a range of 7304s that had problems
with VTY lines getting stuck, and had reserved 14-15 to only be
reachable from a workstation not normally used for administration, thus
being able to clear the lower lines once in a while. (We ended up using
SNMP for the clearing though.)

You would still keep the "base line" access rather tight I assume. The
access security of the box is equal to the security of the most insecure
access method.

Regards,
Peter




More information about the cisco-nsp mailing list