7 Replies Latest reply on Sep 18, 2013 10:23 AM by jayh

    Only one management VLAN interface

    most_ahdy New Member

      Dears,

             If I have an AOS device like 7000 series , and I created different vlans interface for different purpose ,like vlan 1 interface 10.10.10.1/24 , vlan 2 interface 20.20.20.1/24 , as a result I can manage the unit using https , http , ssh , ftp , tftp , snmp using the two interfaces.

      How could I only allow the management using only one vlan interface , not the others.

      Thanks,

      Mostafa Aly

        • Re: Only one management VLAN interface
          vmaxdawg05 Past_Featured_Member

          You probably had an access-list "self" which is usually remarked as "Access to NetVanta".  This gets created with the Firewall Wizard, and comes pre-configured on the 3100 series routers.  This access list is used in your "Private" policy-class in the form of "allow list self self".

           

          You can create an ACL that include the protocols you want and the desired source IP range that you want to have access.

           

          ip access-list extended admin.allowed

          remark Admin access to unit

          permit tcp x.x.x.0 0.0.0.255 eq https log

          permit tcp x.x.x.0 0.0.0.255 eq ssh log

           

          ip access-list extended admin.filter

          remark Deny Admin access to Unit

          permit tcp any any eq https log

          permit tcp any any eq ssh log

           

          ip policy-class Private

          allow list admin.allowed self

          filter list admin.filter self

          allow list self self

          nat source list wizard-ics interface vlan XXX overload

           

          There may be a smother way to do it, but this would allow the addresses on one vlan specified by the ACL admin.filter to do have admin access, and deny admin access for anywhere else.  You just put what protocols you want in the lists respectively.

           

          I hope this helps.

           

          R\

          1 of 1 people found this helpful
          • Re: Only one management VLAN interface
            jayh Hall_of_Fame

            I find it better to limit administrative access based on source IP address rather than the incoming interface. You might want to allow access from hosts not directly connected, for example if the unit is at a customer premise and you want to allow access from your company HQ.

             

            For example if you want to allow management from hosts on the 10.10.10.0/24 subnet, your configuration would look something like this:

             

            ! Specify networks allowed in an access-list.

            !

            ip access-list standard admin-list

              permit 10.10.10.0 0.0.0.255

              ! permit statements here for other networks

            !

            ! Then apply that list to the web interfaces, standard and SSL.

            !

            http ip access-class admin-list in

            http ip secure-access-class admin-list in

            !

            ! Also apply it to the command line administrative interfaces, telnet and ssh.

            !

            line telnet 0 4

              ip access-class admin-list in

            !

            line ssh 0 4

              ip access-class admin-list in

            !

            ! And for good measure lock down snmp.

            !

            snmp-server community itsabigsecret ro ip access-class admin-list

            1 of 1 people found this helpful
              • Re: Only one management VLAN interface
                most_ahdy New Member

                Hi Jayh,

                   Thank you for your reply, it is a good tactic to apply an access list to management lines directly, but what I want exactly is to allow any IPs to access the unit but through only one ip interface, for example  if I have 3 vlans one vlan(DATA) with interface ip 10.10.10.1/24 , vlan(VOICE) with interface IP 10.20.20.1/24 and vlan (MANAGEMENT) wth interface ip 30.30.30.1/24, by  default any one can manage the unit using these three IPs , but I want any one to manage the unit using only 30.30.30.1/24(Management).

                 

                based on your post and the one posted by vmaxdawg05 , I found a good solution,

                This solution based on creating an access list that permit TCP any to the 10.20.20.1/24 and 10.10.10.1/24 with management ports like http/https/ssh/telnet,

                For example:

                permit tcp any 10.20.20.1 0.0.0.0 eq ssl

                permit tcp any 10.20.20.1 0.0.0.0 eq http

                permit tcp any 10.20.20.1 0.0.0.0 eq https

                permit tcp any 10.20.20.1 0.0.0.0 eq telnet

                 

                permit tcp any 10.10.10.1 0.0.0.0 eq ssl

                permit tcp any 10.10.10.1 0.0.0.0 eq http

                permit tcp any 10.10.10.1 0.0.0.0 eq https

                permit tcp any 10.10.10.1 0.0.0.0 eq telnet

                 

                Then apply these access list to a policy class's discard entry , and apply this policy class to all existing ip interfaces in the unit.

                BUT to completely restrict management access I have to do this with the ftp and tftp along with http, https , ssh and telnet,

                and by doing this with the above access list it will restrict ftp and tftp access from all by IPPhones in voip vlan to 10.20.20.1 and softphones in DATA vlan , so I have to make an exception to every IPPhone and softphone ips , and I think this is not a practical solution.

                 

                So If you have a better solution , this will awesome.

                Thanks,

                Mostafa Aly

                  • Re: Only one management VLAN interface
                    jayh Hall_of_Fame

                    most_ahdy wrote:

                     

                    Hi Jayh,

                       Thank you for your reply, it is a good tactic to apply an access list to management lines directly, but what I want exactly is to allow any IPs to access the unit but through only one ip interface, for example  if I have 3 vlans one vlan(DATA) with interface ip 10.10.10.1/24 , vlan(VOICE) with interface IP 10.20.20.1/24 and vlan (MANAGEMENT) wth interface ip 30.30.30.1/24, by  default any one can manage the unit using these three IPs , but I want any one to manage the unit using only 30.30.30.1/24(Management).

                     

                    You are thinking in terms of the interface IP on the unit, where I believe the actual concern is the source IP from which your allowed management workstations will log in.

                     

                    If for example you block all management coming in on your vlan(DATA) and vlan(VOICE), that doesn't prevent someone with a 10.10.10.x or 20.20.20.x source IP from connecting to the management interface on 30.30.30.1.

                     

                    based on your post and the one posted by vmaxdawg05 , I found a good solution,

                    This solution based on creating an access list that permit TCP any to the 10.20.20.1/24 and 10.10.10.1/24 with management ports like http/https/ssh/telnet,

                    For example:

                    permit tcp any 10.20.20.1 0.0.0.0 eq ssl

                    permit tcp any 10.20.20.1 0.0.0.0 eq http

                    permit tcp any 10.20.20.1 0.0.0.0 eq https

                    permit tcp any 10.20.20.1 0.0.0.0 eq telnet

                     

                    permit tcp any 10.10.10.1 0.0.0.0 eq ssl

                    permit tcp any 10.10.10.1 0.0.0.0 eq http

                    permit tcp any 10.10.10.1 0.0.0.0 eq https

                    permit tcp any 10.10.10.1 0.0.0.0 eq telnet

                     

                    Then apply these access list to a policy class's discard entry , and apply this policy class to all existing ip interfaces in the unit.

                    BUT to completely restrict management access I have to do this with the ftp and tftp along with http, https , ssh and telnet,

                    and by doing this with the above access list it will restrict ftp and tftp access from all by IPPhones in voip vlan to 10.20.20.1 and softphones in DATA vlan , so I have to make an exception to every IPPhone and softphone ips , and I think this is not a practical solution.

                     

                    With the configuration you suggest, anyone with any source IP in the world can access the device for management as long as they have a route to 30.30.30.1 either intrinsic to the device being managed or externally.  If that's your goal, it will work.  A device on the data VLAN with a source IP of 10.10.10.2 can still SSH to 30.30.30.1 for example.

                     

                    If instead your goal is to restrict management to hosts within 30.30.30.0/24 then in my opinion you're better off constructing an ACL for the allowed hosts and applying it to the HTTP, HTTPS, SSH, and telnet lines per my previous example.

                     

                    I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.  You could and probably should limit FTP and TFTP to devices on the voice VLAN to allow phones to pull configurations, especially if SIP login credentials are stored on the unit.

                      • Re: Only one management VLAN interface
                        most_ahdy New Member

                         

                        You are thinking in terms of the interface IP on the unit, where I believe the actual concern is the source IP from which your allowed management workstations will log in.

                         

                        If for example you block all management coming in on your vlan(DATA) and vlan(VOICE), that doesn't prevent someone with a 10.10.10.x or 20.20.20.x source IP from connecting to the management interface on 30.30.30.1.

                         

                        This is totally true , but I am planning to make this filtering in a third party firewall , as the default gateway of data vlan devices is the ip address of this firewall,

                        But what if a user change his default gateway to be the ip of the netvanta , sure he will be able to manage the device, so I think you solution is more reliable.

                         

                         

                        I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.

                        What you mean by "it won't be useful for device configuration" ?

                         

                        You could and probably should limit FTP and TFTP to devices on the voice VLAN to allow phones to pull configurations, especially if SIP login credentials are stored on the unit.

                        But what about the softphones installed in the Data Vlan I think I should also make an FTP and TFTP exception for them??!!!

                          • Re: Only one management VLAN interface
                            jayh Hall_of_Fame

                            most_ahdy wrote:

                            I'm not that familiar with the 7000 but I think that FTP and TFTP are there for the phones to pull configurations from a built-in filesystem and won't be useful for device configuration.

                            What you mean by "it won't be useful for device configuration" ?

                             

                            Good point for FTP if the 7000 doesn't restrict FTP usage to a limited directory for phone configurations.  We use a centralized SFTP server strictly for phone configurations so never enable FTP on AOS units.

                             

                            You can use the following to restrict FTP/TFTP access to the voice VLAN. 

                             

                            ip ftp access-class [WORD] in

                            tftp ip access-class [WORD] in

                             

                            (There seems to be an ongoing pie fight in Huntsville as to whether it should be "ip [service]" or "[service] ip".  When in doubt try them both or use ?-completion.)

                             

                            Also

                             

                            no tftp server overwrite


                            prevents overwriting stored files. 

                             

                             

                            But what about the softphones installed in the Data Vlan I think I should also make an FTP and TFTP exception for them??!!!

                             

                            None of the softphones with which I'm familiar require FTP or TFTP to download configurations like hardware SIP phones do.  By definition softphones tend to travel so you're likely to encounter them coming in from the public Internet as well. 

                            1 of 1 people found this helpful