Showrun.txt (2.0 KB)
We would like to prevent any user being able to point an SSH client ( Putty, Teraterm etc ) from pointing this to the IP address of their Default Gateway. and gettting to the router login page. This means only the TACACS username and password are the first and last line of defence. We only want the Management VLAN to allow access.
This seems fairly easy to do with Telnet as I can setup a access-list on the VTY Terminals or use CoPP ( Control Plane ) https://www.youtube.com/watch?v=tsF1Pn6w7Ww
Basically on the Distribution Switches we only want a login responce from the Management VLAN address ( Which hopefully is only known by us and not general users ) to respond.
Also there seems to be different versions of control plane - some use the control-plane host command which doesn’t work for me also the Class-map ‘Drop’ command doesn’t work.