cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
most_ahdy
Contributor
Contributor

Only one management VLAN interface

Dears,

       If I have an AOS device like 7000 series , and I created different vlans interface for different purpose ,like vlan 1 interface 10.10.10.1/24 , vlan 2 interface 20.20.20.1/24 , as a result I can manage the unit using https , http , ssh , ftp , tftp , snmp using the two interfaces.

How could I only allow the management using only one vlan interface , not the others.

Thanks,

Mostafa Aly

0 Kudos
7 Replies
Anonymous
Not applicable

Re: Only one management VLAN interface

You probably had an access-list "self" which is usually remarked as "Access to NetVanta".  This gets created with the Firewall Wizard, and comes pre-configured on the 3100 series routers.  This access list is used in your "Private" policy-class in the form of "allow list self self".

You can create an ACL that include the protocols you want and the desired source IP range that you want to have access.

ip access-list extended admin.allowed

remark Admin access to unit

permit tcp x.x.x.0 0.0.0.255 eq https log

permit tcp x.x.x.0 0.0.0.255 eq ssh log

ip access-list extended admin.filter

remark Deny Admin access to Unit

permit tcp any any eq https log

permit tcp any any eq ssh log

ip policy-class Private

allow list admin.allowed self

filter list admin.filter self

allow list self self

nat source list wizard-ics interface vlan XXX overload

There may be a smother way to do it, but this would allow the addresses on one vlan specified by the ACL admin.filter to do have admin access, and deny admin access for anywhere else.  You just put what protocols you want in the lists respectively.

I hope this helps.

R\

jayh
Honored Contributor
Honored Contributor

Re: Only one management VLAN interface

I find it better to limit administrative access based on source IP address rather than the incoming interface. You might want to allow access from hosts not directly connected, for example if the unit is at a customer premise and you want to allow access from your company HQ.

For example if you want to allow management from hosts on the 10.10.10.0/24 subnet, your configuration would look something like this:

! Specify networks allowed in an access-list.

!

ip access-list standard admin-list

  permit 10.10.10.0 0.0.0.255

  ! permit statements here for other networks

!

! Then apply that list to the web interfaces, standard and SSL.

!

http ip access-class admin-list in

http ip secure-access-class admin-list in

!

! Also apply it to the command line administrative interfaces, telnet and ssh.

!

line telnet 0 4

  ip access-class admin-list in

!

line ssh 0 4

  ip access-class admin-list in

!

! And for good measure lock down snmp.

!

snmp-server community itsabigsecret ro ip access-class admin-list

Re: Only one management VLAN interface

Hi Jayh,

   Thank you for your reply, it is a good tactic to apply an access list to management lines directly, but what I want exactly is to allow any IPs to access the unit but through only one ip interface, for example  if I have 3 vlans one vlan(DATA) with interface ip 10.10.10.1/24 , vlan(VOICE) with interface IP 10.20.20.1/24 and vlan (MANAGEMENT) wth interface ip 30.30.30.1/24, by  default any one can manage the unit using these three IPs , but I want any one to manage the unit using only 30.30.30.1/24(Management).

based on your post and the one posted by vmaxdawg05 , I found a good solution,

This solution based on creating an access list that permit TCP any to the 10.20.20.1/24 and 10.10.10.1/24 with management ports like http/https/ssh/telnet,

For example:

permit tcp any 10.20.20.1 0.0.0.0 eq ssl

permit tcp any 10.20.20.1 0.0.0.0 eq http

permit tcp any 10.20.20.1 0.0.0.0 eq https

permit tcp any 10.20.20.1 0.0.0.0 eq telnet

permit tcp any 10.10.10.1 0.0.0.0 eq ssl

permit tcp any 10.10.10.1 0.0.0.0 eq http

permit tcp any 10.10.10.1 0.0.0.0 eq https

permit tcp any 10.10.10.1 0.0.0.0 eq telnet

Then apply these access list to a policy class's discard entry , and apply this policy class to all existing ip interfaces in the unit.

BUT to completely restrict management access I have to do this with the ftp and tftp along with http, https , ssh and telnet,

and by doing this with the above access list it will restrict ftp and tftp access from all by IPPhones in voip vlan to 10.20.20.1 and softphones in DATA vlan , so I have to make an exception to every IPPhone and softphone ips , and I think this is not a practical solution.

So If you have a better solution , this will awesome.

Thanks,

Mostafa Aly

Re: Only one management VLAN interface

Hi Vmax,

   Thank you for your helpful answer ,

Kindly I need to know what is the purpose of this command: "nat source list wizard-ics interface vlan XXX overload"

and what is the access-list wizard-ics?

Thanks,

Mostafa Aly

jayh
Honored Contributor
Honored Contributor

Re: Only one management VLAN interface


most_ahdy wrote:



Hi Jayh,


   Thank you for your reply, it is a good tactic to apply an access list to management lines directly, but what I want exactly is to allow any IPs to access the unit but through only one ip interface, for example  if I have 3 vlans one vlan(DATA) with interface ip 10.10.10.1/24 , vlan(VOICE) with interface IP 10.20.20.1/24 and vlan (MANAGEMENT) wth interface ip 30.30.30.1/24, by  default any one can manage the unit using these three IPs , but I want any one to manage the unit using only 30.30.30.1/24(Management).



You are thinking in terms of the interface IP on the unit, where I believe the actual concern is the source IP from which your allowed management workstations will log in.

If for example you block all management coming in on your vlan(DATA) and vlan(VOICE), that doesn't prevent someone with a 10.10.10.x or 20.20.20.x source IP from connecting to the management interface on 30.30.30.1.


based on your post and the one posted by vmaxdawg05 , I found a good solution,


This solution based on creating an access list that permit TCP any to the 10.20.20.1/24 and 10.10.10.1/24 with management ports like http/https/ssh/telnet,


For example:


permit tcp any 10.20.20.1 0.0.0.0 eq ssl


permit tcp any 10.20.20.1 0.0.0.0 eq http


permit tcp any 10.20.20.1 0.0.0.0 eq https


permit tcp any 10.20.20.1 0.0.0.0 eq telnet



permit tcp any 10.10.10.1 0.0.0.0 eq ssl


permit tcp any 10.10.10.1 0.0.0.0 eq http


permit tcp any 10.10.10.1 0.0.0.0 eq https


permit tcp any 10.10.10.1 0.0.0.0 eq telnet



Then apply these access list to a policy class's discard entry , and apply this policy class to all existing ip interfaces in the unit.


BUT to completely restrict management access I have to do this with the ftp and tftp along with http, https , ssh and telnet,


and by doing this with the above access list it will restrict ftp and tftp access from all by IPPhones in voip vlan to 10.20.20.1 and softphones in DATA vlan , so I have to make an exception to every IPPhone and softphone ips , and I think this is not a practical solution.



With the configuration you suggest, anyone with any source IP in the world can access the device for management as long as they have a route to 30.30.30.1 either intrinsic to the device being managed or externally.  If that's your goal, it will work.  A device on the data VLAN with a source IP of 10.10.10.2 can still SSH to 30.30.30.1 for example.

If instead your goal is to restrict management to hosts within 30.30.30.0/24 then in my opinion you're better off constructing an ACL for the allowed hosts and applying it to the HTTP, HTTPS, SSH, and telnet lines per my previous example.

I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.  You could and probably should limit FTP and TFTP to devices on the voice VLAN to allow phones to pull configurations, especially if SIP login credentials are stored on the unit.

Re: Only one management VLAN interface



You are thinking in terms of the interface IP on the unit, where I believe the actual concern is the source IP from which your allowed management workstations will log in.



If for example you block all management coming in on your vlan(DATA) and vlan(VOICE), that doesn't prevent someone with a 10.10.10.x or 20.20.20.x source IP from connecting to the management interface on 30.30.30.1.



This is totally true , but I am planning to make this filtering in a third party firewall , as the default gateway of data vlan devices is the ip address of this firewall,

But what if a user change his default gateway to be the ip of the netvanta , sure he will be able to manage the device, so I think you solution is more reliable.



I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.


What you mean by "it won't be useful for device configuration" ?


You could and probably should limit FTP and TFTP to devices on the voice VLAN to allow phones to pull configurations, especially if SIP login credentials are stored on the unit.


But what about the softphones installed in the Data Vlan I think I should also make an FTP and TFTP exception for them??!!!

jayh
Honored Contributor
Honored Contributor

Re: Only one management VLAN interface


most_ahdy wrote:



I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.



What you mean by "it won't be useful for device configuration" ?


Good point for FTP if the 7000 doesn't restrict FTP usage to a limited directory for phone configurations.  We use a centralized SFTP server strictly for phone configurations so never enable FTP on AOS units.

You can use the following to restrict FTP/TFTP access to the voice VLAN. 

ip ftp access-class [WORD] in

tftp ip access-class [WORD] in

(There seems to be an ongoing pie fight in Huntsville as to whether it should be "ip [service]" or "[service] ip".  When in doubt try them both or use ?-completion.)

Also

no tftp server overwrite


prevents overwriting stored files. 



But what about the softphones installed in the Data Vlan I think I should also make an FTP and TFTP exception for them??!!!


None of the softphones with which I'm familiar require FTP or TFTP to download configurations like hardware SIP phones do.  By definition softphones tend to travel so you're likely to encounter them coming in from the public Internet as well.