Preventing VTY Access from all default gateways

john.kinnaird · December 24, 2016, 5:29pm

Showrun.txt (2.0 KB)
We would like to prevent any user being able to point an SSH client ( Putty, Teraterm etc ) from pointing this to the IP address of their Default Gateway. and gettting to the router login page. This means only the TACACS username and password are the first and last line of defence. We only want the Management VLAN to allow access.

This seems fairly easy to do with Telnet as I can setup a access-list on the VTY Terminals or use CoPP ( Control Plane ) https://www.youtube.com/watch?v=tsF1Pn6w7Ww

Basically on the Distribution Switches we only want a login responce from the Management VLAN address ( Which hopefully is only known by us and not general users ) to respond.
Also there seems to be different versions of control plane - some use the control-plane host command which doesn’t work for me also the Class-map ‘Drop’ command doesn’t work.

markscottuk1979 · January 5, 2017, 9:22pm

HI;

I think you might need to do the following:

Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255 - This is the IP range of the management VLAN
Router(config)#line vty 0 15
Router(config-line)#access-class 23 in
Router(config-line)#exit

lagapidis · January 8, 2017, 9:24am

Hello John

Mark is correct here. You can even create an access list allowing only specific IP addresses instead of ranges. For example:

ip access-list standard admin
permit 10.10.10.21
permit 10.10.10.22

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 15
Router(config-line)#access-class admin in

In this way, you can avoid using CoPP all together.

I hope this was helpful!

Laz