On 2023-10-17 14:28, Brandon Butterworth wrote:
On Tue Oct 17, 2023 at 01:05:55PM +0000, David Round (Staff) wrote:
Is there a better way of restricting access to management interfaces
of a L3 switch say to certain VRFs or interfaces?
Many now have a separate management port + vrf to keep all
this stuff private as it should be. Of course you then need
an OOB net to manage such devices and still need to take
care you've not left another barn door open.
Our recent experience has been that while this works for ssh/console
access, the http(s) server on at least the ASR1k cannot be restricted
to a specific VRF and happily listens on all IP addresses associated
with the device.
The http access list works at the application layer as well, so clients
that are not permitted get a 403 error rather than a TCP reset.
Not ideal if one is wanting to enable RESTCONF access.
