For line 40 I would just consider it a cosmetic bug.
I am not sure about whether this works for HTTP login. I haven't tested before. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Saturday, November 06, 2010 11:43 PM To: Sebastian Pasternacki Cc: [email protected] Subject: Re: [OSL | CCIE_Security] login block Sebastian, I am using 12.4(15)T13. Agree that the permit statement doesn't matter but why is it there? Only standard access-list are accepted by the http server access-class which leaves the application of the ACL to the physical interface. But for that a permit ip any any is required at the end. With regards Kings On Sun, Nov 7, 2010 at 12:57 AM, Sebastian Pasternacki <[email protected]> wrote: Hi Kingsley, Firstly a HTTP question - HTTP login block and login delay support is in releases 12.2(33)SXH and 12.4(16)T and later. SOURCE - http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html So the question is what is your IOS version? Permit statement doesn't really matter, because all SSH access is blocked with line 30 in your ACL. How this ACL looks without active blocking? If the ACL is applied to CON/AUX only from time to time, I would say that it looks like a bug. If it is applied always, then it may be the way this feature works. Unfortunately I don't have any routers at the moment to test it. Regards, Seba ### On 6 November 2010 11:43, Kingsley Charles <[email protected]> wrote: Hi all I have configured the router for login block. router(config)#login block-for 60 attempts 2 within 5 The following is the ACL configured on vty lines. router#sh access-lists Extended IP access list sl_def_acl 10 deny tcp any any eq telnet log 20 deny tcp any any eq www log 30 deny tcp any any eq 22 log 40 permit tcp any any eq 22 log As per the Cisco docs, the login block feature blocks all the telnet and ssh connections. But, if you observe the ACEs, there is one for HTTP too. Also take a look at the last one, it permits ssh. Sometimes, I see the ACL applied to aux and con line too. Seems some type of bug. Any thoughts? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
