2

Sorry for the naive question; a quick reading of the cisco docs doesn't answer this question...

So I've got a router (say for the sake of argument a 4500 running IOS 15.x)

It has interfaces in 3 different subnets -- 10.0.0.1/24, 10.0.1.1/24, and 10.0.2.1/24 It also has a loopback address of 172.16.0.33

How do I make it so that SSH / SNMP and other administrative traffic works on the 172 address but doesn't work on the IP addresses I wish to only use for L3 forwarding?

Ideally this can be done by disabling the control plane access to these interfaces not just by using an ACL, but whatever, I don't actually care that much as long as it works...

Thanks!

chris
  • 11,944
  • 6
  • 42
  • 51

2 Answers2

3

You can't disable the daemon on a interface. ACL are the way to go. Filtering should be done on the source address, not destination.

Config example:

line vty 0 4
 access-class secure_vty in
 ipv6 access-class secure6_vty in


ip access-list standard secure_vty
 permit 172.16.10.0 0.0.0.255
 deny any

ipv6 access-list secure6_vty
 deny ipv6 any any

In this config, 172.16.10.0/24 is your management network where you have your NMS, and you have no ipv6 on the NMS but there is some on the switch, so it has to protected.

Be sure also to disable sshv1 which is enabled by default :

Router(config)# ip ssh version 2
petrus
  • 5,297
  • 26
  • 42
  • So this means the NMS would be able to SNMP walk / ssh any of the IPs on the router? – chris Nov 21 '12 at 17:05
  • @Chris: ssh/vty yes, if the IPs are routed from the NMS. snmp needs its own acl: `snmp-server community ro `. – petrus Nov 21 '12 at 18:40
3

Control Plane Policing would be the cleanest implementation

First, create an ACL that MATCHES traffic which you will ultimately drop

ip access-list extended DROP
 permit tcp any host 10.0.0.1 eq 22
 permit tcp any host 10.0.1.1 eq 22
 permit tcp any host 10.0.2.1 eq 22
 permit udp any host 10.0.0.1 eq snmp
 permit udp any host 10.0.1.1 eq snmp
 permit udp any host 10.0.2.1 eq snmp

Next, create a class-map that matches the ACL you created above:

class-map SNMP_AND_SSH_TO_NON_LOOPBACK
 match access-group name DROP

Next, create a policy-map with action DROP on the desired traffic

policy-map CONTROL_PLANE_POLICING
 class SNMP_AND_SSH_TO_NON_LOOPBACK
  drop

Finally, apply the Control plane policing to your control plane

control-plane
 service-policy input CONTROL_PLANE_POLICING

Any traffic destined for the control plane which does NOT match your access list will PASS (this includes SNMP and SSH traffic destined for the Loopback address)

Jason Seemann
  • 1,120
  • 6
  • 9