[c-nsp] One Entry Point into Cisco network.

Artyom Viklenko artem at aws-net.org.ua
Fri Dec 17 07:34:20 EST 2010 

17.12.2010 13:27, Oleg Gnedykh пишет:
> Hi Guys!
>
>     Thank you very much for your answers.
> But  I've  really  wonted to enter into network from ANY addresses and
> ONLY to definite access point. It is necessary because of different causes.
>       I have a router with several hundred IP-interfaces which different  from  time  to time.
> Of course, I am able to attach ACL for all interfaces but instead this I want to
> assign   ONLY  ONE  IP-interface  for  access to my network.
> And after that, I'll can to control and to guard only ONE interface.

IMHO, you can use CoPP to do that.

!
control-plane
  service-policy input bla-bla-bla
!

In the policy-map you can define various criteria, ALC, policers, etc.

But care should be taken becaus this feauture applies to ALL traffic 
going to router CPU including routing protocols, etc.

Hope this helps...


>
> PS: Of course, The "access-list 111 deny ip any any log" need only for
> logging and traps.
>
>
> ------------Quote-----------
>> I want to create a network with one entry point.
>> AFIK it's a best practise for network designing.
>> For example it maybe a something router with a Loopback interface.
>> I've created Loop0, ACL and attached it to "line vty"
>
>>   interface Loopback10
>>   description ### Manage ###
>>   ip address 192.168.1.1 255.255.255.255
>
>>   access-list 111 permit ip any host 192.168.1.1 log
>>   access-list 111 deny ip any any log
>
>>   line vty 0 4
>>   access-class 111 in
>
>
>> And as a result I have connection refused
>> %SEC-6-IPACCESSLOGP: list 111 denied tcp 192.168.20.1(2683) ->  0.0.0.0(23), 1 packet
>> There is 192.168.20.1 is a local address for on my PC.
>
>> What can I do anything???
>
>
> ------------Quote-----------
>
>
> With best regards, Oleg.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
            Sincerely yours,
                             Artyom Viklenko.
-------------------------------------------------------
artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem
artem at viklenko.net   | JID: artem at jabber.aws-net.org.ua
FreeBSD: The Power to Serve   -  http://www.freebsd.org

More information about the cisco-nsp mailing list