I like the answer from Iassen, while it does leave some question as to where
the source packet comes from though as he has assumed local broadcast
segment, I guess you could add to your answer should the packet be from
beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic
(or even a different router along the path mark it) to match in your class
map on this router, that way you still avoid ACL's but meet the question
requirements, that is a stupid way of doing it though as it's not very
secure should someone learn the magic tos bit to use to get telnet access :)
----- Original Message -----
From: "Iassen Anadoliev" <[EMAIL PROTECTED]>
To: "Joost greene" <[EMAIL PROTECTED]>
Cc: <cisco-nsp@puck.nether.net>
Sent: Saturday, August 02, 2008 12:08 AM
Subject: Re: [c-nsp] Filtering telnet without ACL
On Fri, August 1, 2008 4:14 pm, Joost greene wrote:
Hello,
Someone challenged me with a question on how i can filter telnet access
to
one router from all hosts except two of them WITHOUT using access-lists
or
access-line under the VTY? any ideas?
Regards,
Joost
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Well if we assume that this is an ethernet network and the hosts are
within our broadcast domain I think you can use MQC = NBAR something like:
class-map match-all PERMIT_TELNET
match protocol telnet
match class-map PERMIT_TELNET_HOSTS
exit
class-map match-any PERMIT_TELNET_HOSTS
match source-address mac xxx.xxx.xxx
match source-address mac yyy.yyy.yyy
exit
class-map DENY_TELNET
match protocol telnet
exit
policy-map IN_FE0/0
class PERMIT_TELNET
bandwidth remaining percent 100
class DENY_TELNET
drop
int fastether0/0
service-policy input IN_FE0/0
--
WWell by
Iassen Anadoliev
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/