Yes agreed. This is my experience too. Web service listens on all interfaces and we restrict using access lists.
Cheers, Chris On Tue, 17 Oct 2023 at 15:34, Andrew Veitch <[email protected]> wrote: > On 2023-10-17 14:28, Brandon Butterworth wrote: > > On Tue Oct 17, 2023 at 01:05:55PM +0000, David Round (Staff) wrote: > >> Is there a better way of restricting access to management interfaces > >> of a L3 switch say to certain VRFs or interfaces? > > > > Many now have a separate management port + vrf to keep all > > this stuff private as it should be. Of course you then need > > an OOB net to manage such devices and still need to take > > care you've not left another barn door open. > > Our recent experience has been that while this works for ssh/console > access, the http(s) server on at least the ASR1k cannot be restricted > to a specific VRF and happily listens on all IP addresses associated > with the device. > > The http access list works at the application layer as well, so clients > that are not permitted get a 403 error rather than a TCP reset. > > Not ideal if one is wanting to enable RESTCONF access. > > -- -- The contents of this message are intended for the addressee only. The views expressed do not necessarily represent those of George Watson's College and the contents do not form a legal binding contract. George Watson's College is an Edinburgh Merchant Company Education Board School (Scottish Charity No. SC009747).
