What about through multiple Service policies....? Build a Management-class
that matches the protocol and interface that you want to pass traffic, and
another for just the traffic. Build your Policy-Map with the
Management-Class before the other to pass traffic, and to drop on the other
class.
On Tue, Jul 6, 2010 at 8:31 AM, Brian Landers <brian_at_bluecoat93.org> wrote:
> Hmm, the management-interface command only seems to be documented in a
> 12.4T
> feature guide, not in the actual documentation itself? So far I can't find
> it in the master index at all or in the CPP configuration guide using the
> usual "if you can't figure it out, Ctrl-F and look for likely keywords"
> strategy. Nice one, Cisco.
>
> ZBF is one I hadn't considered. Good one!
>
> A control plane host port-filter matching non-SSH traffic is probably where
> I would have ended up (was doing this as a "paper lab" and for some reason
> the "Securing the Control Plane" PDF isn't on my iPad).
>
> Thanks all,
> B*
>
>
> On Tue, Jul 6, 2010 at 6:19 AM, Thad Swashesed <gfy.ccie_at_gmail.com> wrote:
>
> > There are some different options, depending on how much you want to
> > complicate things.
> >
> >
> > "management-interface" command under "control-plane host"
> >
> > Technically, this will not restrict the address that you are connecting
> to,
> > but which interface the connection is coming into.
> >
> > So, traffic coming into G0/0 with destination of a loopback would still
> be
> > allowed.
> >
> >
> > Another option, though not as likely, would be to put everything else
> into
> > VRFs. (By default, management from a vrf interface is not allowed, unless
> > you have the "vrf-also" option specified on the access-class statement).
> > Putting all the other interfaces into a VRF would mess with your
> routing,
> > however.
> >
> > Similarly, could be achieved with ZBF and policies to self, but that
> would
> > be a much more complex answer.
> >
> >
> >
> >
> >
> > On Tue, Jul 6, 2010 at 6:00 AM, Brian Landers <brian_at_bluecoat93.org
> >wrote:
> >
> >> Working through a Security practice lab and I'm drawing a blank on this
> >> one.
> >>
> >> * enable access control on R4 to allow management access via the R4
> gi0/1
> >> interface only
> >>
> >> * management traffic to any other interfaces should be dropped
> >>
> >> * do not use interface access control list to achieve this task
> >>
> >> * do not use vty ACL to achieve this task
> >>
> >> R4 gi0/1 has a single host behind it (R3), which has a 0/0 route
> pointing
> >> to
> >> R4. So far, the only thing I'm coming up with is PBR to null route any
> >> traffic to interface IP's other than gi0/1, but without testing I'm not
> >> sure
> >> that will work to router-local traffic.
> >>
> >> B*
> >>
> >>
> >> --
> >> Brian C Landers
> >> http://www.packetslave.com/
> >> CCIE #23115
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
>
> --
> Brian C Landers
> http://www.packetslave.com/
> CCIE #23115
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 06 2010 - 10:35:00 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART