2. I don't think an ACL can do anything about the port the protocol runs on. With telnet you change that with rotary groups and ssh uses the 'ip ssh port' global command. Also, you typically want to use standard ACLs for VTYs because the destination IP address is stripped off before the access-class ACL is parsed and shows as 0.0.0.0.
On Wed, Mar 2, 2011 at 4:35 PM, Hammer <[email protected]> wrote: > Agreed. Maybe that's something that I've misunderstood all along. Recently > I > got hit on an Internal audit for allowing MOP. I was perplexed. I went thru > my very strict ACLs and didn't allow the ancient protocol. Finally I went > and talked to the dude. The audit hit was not a result of a pen test, it > was > my configuration that they had run against an inspection tool. So once he > understood that my ACL wouldn't let it in, he was fine. But the reason that > the audit tool rang bells in the first place was "transport input none". > > After researching I realized that I had misunderstood things. I always > looked at a VTY as the access TO the router instead of THRU the router. > This > doesn't appear to be the case. > > 1. Transport input governs the protocol. Not the port or the > souce/destination. > 2. An ACL on the VTY will control what port can run the protocol and > from/to > where. > > There is no "snmp" on transport input. Only management protocols. SSH, > Telnet, MOP, rlogin, etc. > > 3. You can control what is allowed to use SNMP by applying an ACL to the > snmp-group you have configured. > > So if you apply an ACL to the VTY that says permit ip host 10.10.10.1 host > 1.1.1.1 (lo0 on router) eq 22 and you have transport input telnet VTY lines > then the only thing you have done is forced yourself to telnet to your > router over port 22. > > Here's my confusion. Is this redundant to CoPPs? I understand with policy > maps on CoPPs I have a greater degree of control but in the end, it's > redundant I think. > > Does this make sense? Looking for some confirmation? I can't see the > difference.... > > > -Hammer- > > "I was a normal American nerd." > -Jack Herer > > > > > > On Wed, Mar 2, 2011 at 3:18 PM, Jeferson Guardia <[email protected] > >wrote: > > > I would always refer to vty setup as "how people manage my routers" and > > global acl, copp, acl on the interface, whatever, to control things at > the > > service level :) > > > > Sent using my Iphone > > > > Em 02/03/2011, às 16:07, Hammer <[email protected]> escreveu: > > > > > And to follow up on my own question, am I just filtering at different > > > points? > > > > > > So, option 1: > > > > > > filter SSH via transport input statement and ACL on VTY > > > filter SNMP via ACL on snmp-group > > > > > > Or option 2: > > > > > > filter all via CoPPs policy > > > > > > But doing both is redundant correct? > > > > > > Trying to understand the difference between an VTY ACL and a CoPPs > > > policy.... Missing something.... > > > > > > -Hammer- > > > > > > "I was a normal American nerd." > > > -Jack Herer > > > > > > > > > > > > > > > > > > On Wed, Mar 2, 2011 at 12:32 PM, Hammer <[email protected]> wrote: > > > > > >> OK, I'm confused on something very simple. In the past, when setting > up > > a > > >> router, I've done an access-list allowing (example) SSH and SNMP. Then > > I've > > >> applied said access list to the VTYs. Transport input I've always set > to > > >> "none" as I haven't cared because I have a VTY controlling what comes > > in. > > >> But it appears I was misunderstanding some things. > > >> > > >> If I set my transport input to SSH, it restricts the VTY access to > just > > >> SSH. > > >> Then, I can use an ACL to allow only certain subnets blah blah blah. > > >> > > >> So how am I controlling SNMP? I understand that I can build an SNMP > > >> specific ACL and apply it to snmp server group. Is that it? Meaning, > is > > an > > >> ACL applied to a VTY only going to control source and destination (and > > ports > > >> possibly) over which whatever transport you applied is allowed? > > >> > > >> So other services aren't really hitting the VTY in that sense? > > >> > > >> > > >> -Hammer- > > >> > > >> "I was a normal American nerd." > > >> -Jack Herer > > >> > > >> > > >> > > >> > > > _______________________________________________ > > > For more information regarding industry leading CCIE Lab training, > please > > visit www.ipexpert.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
