I don't remember the specifics of why, only that extended ACLs don't work the way you'd think they would. I'm sure Tyson or Marko can get a little deeper than that.
On Wed, Mar 2, 2011 at 7:13 PM, Hammer <[email protected]> wrote: > Jay, > What is different about an access-list on a VTY that causes the > destination (extended ACL) to not be processed? So I cannot limit what > addresses on the router answer to a connection? > > I'm going to lab this up tomorrow and play around. Clearly I'm missing > something with all this. I'm actually somewhat thankful for the audit guy. > Did I just say that? I must be drunk.... > > > -Hammer- > > "I was a normal American nerd." > -Jack Herer > > > > > > On Wed, Mar 2, 2011 at 5:34 PM, Jay Taylor <[email protected]> wrote: > >> 2. I don't think an ACL can do anything about the port the protocol runs >> on. With telnet you change that with rotary groups and ssh uses the 'ip ssh >> port' global command. Also, you typically want to use standard ACLs for VTYs >> because the destination IP address is stripped off before the access-class >> ACL is parsed and shows as 0.0.0.0. >> >> >> >> On Wed, Mar 2, 2011 at 4:35 PM, Hammer <[email protected]> wrote: >> >>> Agreed. Maybe that's something that I've misunderstood all along. >>> Recently I >>> got hit on an Internal audit for allowing MOP. I was perplexed. I went >>> thru >>> my very strict ACLs and didn't allow the ancient protocol. Finally I went >>> and talked to the dude. The audit hit was not a result of a pen test, it >>> was >>> my configuration that they had run against an inspection tool. So once he >>> understood that my ACL wouldn't let it in, he was fine. But the reason >>> that >>> the audit tool rang bells in the first place was "transport input none". >>> >>> After researching I realized that I had misunderstood things. I always >>> looked at a VTY as the access TO the router instead of THRU the router. >>> This >>> doesn't appear to be the case. >>> >>> 1. Transport input governs the protocol. Not the port or the >>> souce/destination. >>> 2. An ACL on the VTY will control what port can run the protocol and >>> from/to >>> where. >>> >>> There is no "snmp" on transport input. Only management protocols. SSH, >>> Telnet, MOP, rlogin, etc. >>> >>> 3. You can control what is allowed to use SNMP by applying an ACL to the >>> snmp-group you have configured. >>> >>> So if you apply an ACL to the VTY that says permit ip host 10.10.10.1 >>> host >>> 1.1.1.1 (lo0 on router) eq 22 and you have transport input telnet VTY >>> lines >>> then the only thing you have done is forced yourself to telnet to your >>> router over port 22. >>> >>> Here's my confusion. Is this redundant to CoPPs? I understand with policy >>> maps on CoPPs I have a greater degree of control but in the end, it's >>> redundant I think. >>> >>> Does this make sense? Looking for some confirmation? I can't see the >>> difference.... >>> >>> >>> -Hammer- >>> >>> "I was a normal American nerd." >>> -Jack Herer >>> >>> >>> >>> >>> >>> On Wed, Mar 2, 2011 at 3:18 PM, Jeferson Guardia <[email protected] >>> >wrote: >>> >>> > I would always refer to vty setup as "how people manage my routers" and >>> > global acl, copp, acl on the interface, whatever, to control things at >>> the >>> > service level :) >>> > >>> > Sent using my Iphone >>> > >>> > Em 02/03/2011, às 16:07, Hammer <[email protected]> escreveu: >>> > >>> > > And to follow up on my own question, am I just filtering at different >>> > > points? >>> > > >>> > > So, option 1: >>> > > >>> > > filter SSH via transport input statement and ACL on VTY >>> > > filter SNMP via ACL on snmp-group >>> > > >>> > > Or option 2: >>> > > >>> > > filter all via CoPPs policy >>> > > >>> > > But doing both is redundant correct? >>> > > >>> > > Trying to understand the difference between an VTY ACL and a CoPPs >>> > > policy.... Missing something.... >>> > > >>> > > -Hammer- >>> > > >>> > > "I was a normal American nerd." >>> > > -Jack Herer >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > On Wed, Mar 2, 2011 at 12:32 PM, Hammer <[email protected]> wrote: >>> > > >>> > >> OK, I'm confused on something very simple. In the past, when setting >>> up >>> > a >>> > >> router, I've done an access-list allowing (example) SSH and SNMP. >>> Then >>> > I've >>> > >> applied said access list to the VTYs. Transport input I've always >>> set to >>> > >> "none" as I haven't cared because I have a VTY controlling what >>> comes >>> > in. >>> > >> But it appears I was misunderstanding some things. >>> > >> >>> > >> If I set my transport input to SSH, it restricts the VTY access to >>> just >>> > >> SSH. >>> > >> Then, I can use an ACL to allow only certain subnets blah blah blah. >>> > >> >>> > >> So how am I controlling SNMP? I understand that I can build an SNMP >>> > >> specific ACL and apply it to snmp server group. Is that it? Meaning, >>> is >>> > an >>> > >> ACL applied to a VTY only going to control source and destination >>> (and >>> > ports >>> > >> possibly) over which whatever transport you applied is allowed? >>> > >> >>> > >> So other services aren't really hitting the VTY in that sense? >>> > >> >>> > >> >>> > >> -Hammer- >>> > >> >>> > >> "I was a normal American nerd." >>> > >> -Jack Herer >>> > >> >>> > >> >>> > >> >>> > >> >>> > > _______________________________________________ >>> > > For more information regarding industry leading CCIE Lab training, >>> please >>> > visit www.ipexpert.com >>> > >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >> >> > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
