Agreed. Maybe that's something that I've misunderstood all along. Recently I got hit on an Internal audit for allowing MOP. I was perplexed. I went thru my very strict ACLs and didn't allow the ancient protocol. Finally I went and talked to the dude. The audit hit was not a result of a pen test, it was my configuration that they had run against an inspection tool. So once he understood that my ACL wouldn't let it in, he was fine. But the reason that the audit tool rang bells in the first place was "transport input none".
After researching I realized that I had misunderstood things. I always looked at a VTY as the access TO the router instead of THRU the router. This doesn't appear to be the case. 1. Transport input governs the protocol. Not the port or the souce/destination. 2. An ACL on the VTY will control what port can run the protocol and from/to where. There is no "snmp" on transport input. Only management protocols. SSH, Telnet, MOP, rlogin, etc. 3. You can control what is allowed to use SNMP by applying an ACL to the snmp-group you have configured. So if you apply an ACL to the VTY that says permit ip host 10.10.10.1 host 1.1.1.1 (lo0 on router) eq 22 and you have transport input telnet VTY lines then the only thing you have done is forced yourself to telnet to your router over port 22. Here's my confusion. Is this redundant to CoPPs? I understand with policy maps on CoPPs I have a greater degree of control but in the end, it's redundant I think. Does this make sense? Looking for some confirmation? I can't see the difference.... -Hammer- "I was a normal American nerd." -Jack Herer On Wed, Mar 2, 2011 at 3:18 PM, Jeferson Guardia <[email protected]>wrote: > I would always refer to vty setup as "how people manage my routers" and > global acl, copp, acl on the interface, whatever, to control things at the > service level :) > > Sent using my Iphone > > Em 02/03/2011, às 16:07, Hammer <[email protected]> escreveu: > > > And to follow up on my own question, am I just filtering at different > > points? > > > > So, option 1: > > > > filter SSH via transport input statement and ACL on VTY > > filter SNMP via ACL on snmp-group > > > > Or option 2: > > > > filter all via CoPPs policy > > > > But doing both is redundant correct? > > > > Trying to understand the difference between an VTY ACL and a CoPPs > > policy.... Missing something.... > > > > -Hammer- > > > > "I was a normal American nerd." > > -Jack Herer > > > > > > > > > > > > On Wed, Mar 2, 2011 at 12:32 PM, Hammer <[email protected]> wrote: > > > >> OK, I'm confused on something very simple. In the past, when setting up > a > >> router, I've done an access-list allowing (example) SSH and SNMP. Then > I've > >> applied said access list to the VTYs. Transport input I've always set to > >> "none" as I haven't cared because I have a VTY controlling what comes > in. > >> But it appears I was misunderstanding some things. > >> > >> If I set my transport input to SSH, it restricts the VTY access to just > >> SSH. > >> Then, I can use an ACL to allow only certain subnets blah blah blah. > >> > >> So how am I controlling SNMP? I understand that I can build an SNMP > >> specific ACL and apply it to snmp server group. Is that it? Meaning, is > an > >> ACL applied to a VTY only going to control source and destination (and > ports > >> possibly) over which whatever transport you applied is allowed? > >> > >> So other services aren't really hitting the VTY in that sense? > >> > >> > >> -Hammer- > >> > >> "I was a normal American nerd." > >> -Jack Herer > >> > >> > >> > >> > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
