Re: [c-nsp] Filtering telnet without ACL

Fri, 01 Aug 2008 16:58:10 -0700

I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) 


----- Original Message ----- 
From: "Iassen Anadoliev" <[EMAIL PROTECTED]>

To: "Joost greene" <[EMAIL PROTECTED]>
Cc: <cisco-nsp@puck.nether.net>
Sent: Saturday, August 02, 2008 12:08 AM
Subject: Re: [c-nsp] Filtering telnet without ACL




On Fri, August 1, 2008 4:14 pm, Joost greene wrote:

Hello,


Someone challenged me with a question on how i can filter telnet access 
to
one router from all hosts except two of them WITHOUT using access-lists 
or

access-line under the VTY? any ideas?

Regards,
Joost
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Well if we assume that this is an ethernet network and the hosts are
within our broadcast domain I think you can use MQC = NBAR something like:

class-map match-all PERMIT_TELNET
match protocol telnet
match class-map PERMIT_TELNET_HOSTS
exit

class-map match-any PERMIT_TELNET_HOSTS
match source-address mac xxx.xxx.xxx
match source-address mac yyy.yyy.yyy
exit

class-map DENY_TELNET
match protocol telnet
exit

policy-map IN_FE0/0
class PERMIT_TELNET
bandwidth remaining percent 100
class DENY_TELNET
drop

int fastether0/0
service-policy input IN_FE0/0

--
WWell by
Iassen Anadoliev




_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to