ACL on Router Console Port

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
In my security class they reference assigning an IP ACL to the console port
using the access-class command.  Does an IP ACL have any effect on the
console (serial) port?


BW

Re: ACL on Router Console Port
On Mon, 18 Sep 2006, BW wrote:

Quoted text here. Click to load it
Are you sure it was the console port and not the vty lines?

Doan


Re: ACL on Router Console Port
Doan wrote:

Quoted text here. Click to load it

Yes, the console port as well as the vty lines.  
--
BW

Re: ACL on Router Console Port
On Tue, 19 Sep 2006, BW wrote:

Quoted text here. Click to load it
How does a console port detect an ip address?  It is out-of-band.

Doan



Re: ACL on Router Console Port
Doan wrote:

Quoted text here. Click to load it
<snip>
Quoted text here. Click to load it

That was exactly my point.  I can't see how it would have any effect on a
serial line connection.
--
BW

Re: ACL on Router Console Port
On Tue, 19 Sep 2006, BW wrote:

Quoted text here. Click to load it
Ok, I think they meant applying it to the outbound direction; that way you
limit where they can get to even when they have console access.

Doan



Re: ACL on Router Console Port
thanks

<a href=http://unificationwarsgame.50megs.com/ online</a>
<a href=http://unifcationplayers.50webs.com/ <mmog</a>
<a href=http://unificationwars.0catch.com/ free</a>


Re: ACL on Router Console Port
BW wrote:

Quoted text here. Click to load it

You can't apply an inbound ACL on a console port since it's RS232
signals.  I suppose you can put an ACL on the terminal server connected
to the console port.  Perhaps that's what they meant?


--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************

Re: ACL on Router Console Port
On Sat, 23 Sep 2006, Hansang Bae wrote:

Quoted text here. Click to load it
Or perhaps an outbound ACL to limit where you could go once you consoled
in.

Doan


Re: ACL on Router Console Port
Doan wrote:

Quoted text here. Click to load it

May be worth re-reading the way ACLs work, and if they affect traffic generated
by the router itself.

As Hansang said, the console is NOT IP so an ACL on the console is not
possible. The outbound ACL to control traffic would have to be on all the other
interfaces, and would not work as traffic would be locally generated. To
control telnet access *from* the router you would need an *INBOUND* ACL to
block the responses.
--
Paul Matthews                          
paul@cattytown.me.uk
http://www.hepcats.co.uk

Re: ACL on Router Console Port
On Sun, 24 Sep 2006, Paul Matthews wrote:

Quoted text here. Click to load it

Hansang said nothing about an outbound ACL.  I tested it on a live router
and it worked just as I understood it:

router#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns
Int
*    0 CTY              -    -      -    2  101      0      22     0/0
-

router#telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx
% Connections to that host not permitted from this terminal

Perhaps you can point me to a link where it says otherwise.

Thanks,

Doan



Site Timeline