In my security class they reference assigning an IP ACL to the console port using the access-class command. Does an IP ACL have any effect on the console (serial) port?
BW
In my security class they reference assigning an IP ACL to the console port using the access-class command. Does an IP ACL have any effect on the console (serial) port?
BW
Are you sure it was the console port and not the vty lines?
Doan
Yes, the console port as well as the vty lines.
thanks
online
How does a console port detect an ip address? It is out-of-band.
Doan
That was exactly my point. I can't see how it would have any effect on a serial line connection.
Ok, I think they meant applying it to the outbound direction; that way you limit where they can get to even when they have console access.
Doan
You can't apply an inbound ACL on a console port since it's RS232 signals. I suppose you can put an ACL on the terminal server connected to the console port. Perhaps that's what they meant?
Or perhaps an outbound ACL to limit where you could go once you consoled in.
Doan
May be worth re-reading the way ACLs work, and if they affect traffic generated by the router itself.
As Hansang said, the console is NOT IP so an ACL on the console is not possible. The outbound ACL to control traffic would have to be on all the other interfaces, and would not work as traffic would be locally generated. To control telnet access *from* the router you would need an *INBOUND* ACL to block the responses.
Hansang said nothing about an outbound ACL. I tested it on a live router and it worked just as I understood it:
router#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
router#telnet xxx.xxx.xxx.xxx Trying xxx.xxx.xxx.xxx % Connections to that host not permitted from this terminal
Perhaps you can point me to a link where it says otherwise.
Thanks,
Doan
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.