Jay,
What is different about an access-list on a VTY that causes the
destination (extended ACL) to not be processed? So I cannot limit what
addresses on the router answer to a connection?
I'm going to lab this up tomorrow and play around. Clearly I'm missing
something with all this. I'm actually somewhat thankful for the audit guy.
Did I just say that? I must be drunk....
-Hammer-
"I was a normal American nerd."
-Jack Herer
On Wed, Mar 2, 2011 at 5:34 PM, Jay Taylor <[email protected]> wrote:
> 2. I don't think an ACL can do anything about the port the protocol runs
> on. With telnet you change that with rotary groups and ssh uses the 'ip ssh
> port' global command. Also, you typically want to use standard ACLs for VTYs
> because the destination IP address is stripped off before the access-class
> ACL is parsed and shows as 0.0.0.0.
>
>
>
> On Wed, Mar 2, 2011 at 4:35 PM, Hammer <[email protected]> wrote:
>
>> Agreed. Maybe that's something that I've misunderstood all along. Recently
>> I
>> got hit on an Internal audit for allowing MOP. I was perplexed. I went
>> thru
>> my very strict ACLs and didn't allow the ancient protocol. Finally I went
>> and talked to the dude. The audit hit was not a result of a pen test, it
>> was
>> my configuration that they had run against an inspection tool. So once he
>> understood that my ACL wouldn't let it in, he was fine. But the reason
>> that
>> the audit tool rang bells in the first place was "transport input none".
>>
>> After researching I realized that I had misunderstood things. I always
>> looked at a VTY as the access TO the router instead of THRU the router.
>> This
>> doesn't appear to be the case.
>>
>> 1. Transport input governs the protocol. Not the port or the
>> souce/destination.
>> 2. An ACL on the VTY will control what port can run the protocol and
>> from/to
>> where.
>>
>> There is no "snmp" on transport input. Only management protocols. SSH,
>> Telnet, MOP, rlogin, etc.
>>
>> 3. You can control what is allowed to use SNMP by applying an ACL to the
>> snmp-group you have configured.
>>
>> So if you apply an ACL to the VTY that says permit ip host 10.10.10.1 host
>> 1.1.1.1 (lo0 on router) eq 22 and you have transport input telnet VTY
>> lines
>> then the only thing you have done is forced yourself to telnet to your
>> router over port 22.
>>
>> Here's my confusion. Is this redundant to CoPPs? I understand with policy
>> maps on CoPPs I have a greater degree of control but in the end, it's
>> redundant I think.
>>
>> Does this make sense? Looking for some confirmation? I can't see the
>> difference....
>>
>>
>> -Hammer-
>>
>> "I was a normal American nerd."
>> -Jack Herer
>>
>>
>>
>>
>>
>> On Wed, Mar 2, 2011 at 3:18 PM, Jeferson Guardia <[email protected]
>> >wrote:
>>
>> > I would always refer to vty setup as "how people manage my routers" and
>> > global acl, copp, acl on the interface, whatever, to control things at
>> the
>> > service level :)
>> >
>> > Sent using my Iphone
>> >
>> > Em 02/03/2011, às 16:07, Hammer <[email protected]> escreveu:
>> >
>> > > And to follow up on my own question, am I just filtering at different
>> > > points?
>> > >
>> > > So, option 1:
>> > >
>> > > filter SSH via transport input statement and ACL on VTY
>> > > filter SNMP via ACL on snmp-group
>> > >
>> > > Or option 2:
>> > >
>> > > filter all via CoPPs policy
>> > >
>> > > But doing both is redundant correct?
>> > >
>> > > Trying to understand the difference between an VTY ACL and a CoPPs
>> > > policy.... Missing something....
>> > >
>> > > -Hammer-
>> > >
>> > > "I was a normal American nerd."
>> > > -Jack Herer
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Wed, Mar 2, 2011 at 12:32 PM, Hammer <[email protected]> wrote:
>> > >
>> > >> OK, I'm confused on something very simple. In the past, when setting
>> up
>> > a
>> > >> router, I've done an access-list allowing (example) SSH and SNMP.
>> Then
>> > I've
>> > >> applied said access list to the VTYs. Transport input I've always set
>> to
>> > >> "none" as I haven't cared because I have a VTY controlling what comes
>> > in.
>> > >> But it appears I was misunderstanding some things.
>> > >>
>> > >> If I set my transport input to SSH, it restricts the VTY access to
>> just
>> > >> SSH.
>> > >> Then, I can use an ACL to allow only certain subnets blah blah blah.
>> > >>
>> > >> So how am I controlling SNMP? I understand that I can build an SNMP
>> > >> specific ACL and apply it to snmp server group. Is that it? Meaning,
>> is
>> > an
>> > >> ACL applied to a VTY only going to control source and destination
>> (and
>> > ports
>> > >> possibly) over which whatever transport you applied is allowed?
>> > >>
>> > >> So other services aren't really hitting the VTY in that sense?
>> > >>
>> > >>
>> > >> -Hammer-
>> > >>
>> > >> "I was a normal American nerd."
>> > >> -Jack Herer
>> > >>
>> > >>
>> > >>
>> > >>
>> > > _______________________________________________
>> > > For more information regarding industry leading CCIE Lab training,
>> please
>> > visit www.ipexpert.com
>> >
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
