Re: [c-nsp] Filtering telnet without ACL
Hi Saku, I forgot to mention that the question said to limit telnet access to loopback of two routers without using Access lists so i can see your answer makes sense but what do you mean by MPLS LSR ? Thanks, Joost On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti [EMAIL PROTECTED][EMAIL PROTECTED] wrote: On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On (2008-08-11 11:13 +0300), Joost greene wrote: I forgot to mention that the question said to limit telnet access to loopback of two routers without using Access lists so i can see your answer makes sense but what do you mean by MPLS LSR ? LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, one of it's features by design is, that it does not need IP routes to Internet, it only needs IP routes to other core and edge routers. So as you don't have route back to the chap telnetting to your box, telnet can not establish. To allow some hosts to telnet, simply make static route for those hosts towards some box which has route back to them. Thanks, Joost On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti [EMAIL PROTECTED][EMAIL PROTECTED] wrote: On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
Ok, i thought this is a feature i dont know about :) I guess the answer would be PBR with prefix-list. Thank you all. On Mon, Aug 11, 2008 at 11:21 AM, Saku Ytti [EMAIL PROTECTED][EMAIL PROTECTED] wrote: On (2008-08-11 11:13 +0300), Joost greene wrote: I forgot to mention that the question said to limit telnet access to loopback of two routers without using Access lists so i can see your answer makes sense but what do you mean by MPLS LSR ? LSR = Label Switch(ing) Router. Essentially it's MPLS network core router, one of it's features by design is, that it does not need IP routes to Internet, it only needs IP routes to other core and edge routers. So as you don't have route back to the chap telnetting to your box, telnet can not establish. To allow some hosts to telnet, simply make static route for those hosts towards some box which has route back to them. Thanks, Joost On Fri, Aug 1, 2008 at 5:04 PM, Saku Ytti [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On (2008-08-11 11:36 +0300), Joost greene wrote: Ok, i thought this is a feature i dont know about :) I guess the answer would be PBR with prefix-list. Although question was protocol specific which makes it hard to satisfy without ACLs. You could imagine that the box may be offering NTP, DNS or TFTP to the network which should continue to work. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
Saku Ytti wrote: Although question was protocol specific which makes it hard to satisfy without ACLs. You could imagine that the box may be offering NTP, DNS or TFTP to the network which should continue to work. you could potentially do it using CoPP policy with a CoPP policy for the address(es) you wish, 0bps configured for other rates. if its just telnet, then certainly an access-class on the vty would work too, albeit that would be s/w enforced not h/w enforced. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On (2008-08-11 20:30 +1000), Lincoln Dale wrote: you could potentially do it using CoPP policy with a CoPP policy for the address(es) you wish, 0bps configured for other rates. OP was about doing it w/o ACL, CoPP would violate that rule. if its just telnet, then certainly an access-class on the vty would work too, albeit that would be s/w enforced not h/w enforced. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
ACL restriction might not rule out the prefix-list option. So i would go for the prefix list + route-map solution. --- On Fri, 1/8/08, Joost greene [EMAIL PROTECTED] wrote: From: Joost greene [EMAIL PROTECTED] Subject: [c-nsp] Filtering telnet without ACL To: cisco-nsp@puck.nether.net Date: Friday, 1 August, 2008, 2:14 PM Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I think if I loosen the definition of telnet I can win here. no transport input telnet on the VTYs. Then connect your console/aux into your terminal server / DCN and access it via telnet. Dave. Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
Saku Ytti wrote: I assume challenge was set, because asker knows how to do it. Or the asker didn't know how to do it and it cost him some time and a few points, somewhere, in some lab... -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Filtering telnet without ACL
Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On Fri, 01 Aug 2008, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Route map... ip access-list extended NO_TELNET deny tcp any any eq 23 ! route-map BLOCK_TELNET 10 match ip address NO_TELNET set interface Null 0 ! ip local policy route-map BLOCK_TELNET -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny. Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x3AC173DB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On (2008-08-01 15:14 +0200), Joost greene wrote: Hey, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? I assume challenge was set, because asker knows how to do it. If not, then I think challenge should be, how to make router output PONIES. Anyhow, I think CoPP, rACL and policy-route would break the 'no acl' definition and wouldn't be acceptable solution. I think what would fit the rule, is MPLS LSR where you'd only have route back to couple management hosts and others couldn't telnet to the box, simply because box doesn't have route to them. Of course everyone in your IGP could telnet to the box also. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
On Fri, August 1, 2008 4:14 pm, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) - Original Message - From: Iassen Anadoliev [EMAIL PROTECTED] To: Joost greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL On Fri, August 1, 2008 4:14 pm, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) - Original Message - From: Iassen Anadoliev [EMAIL PROTECTED] To: Joost greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL On Fri, August 1, 2008 4:14 pm, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/