I have a 2924 switch that responds to telnet and web access on any port. It runs 12.0 software. Is there any configuration command I can issue that would force the switch to only respond to management telnet/web requests on port 1 of the switch and ignore any requests on any other port?
No, access isn't controlled that way on cisco.
You need to configure layer-3 management access control based on the source IP contacting the switch.
I find the HTTP fairly useless on the switch. I'd turn it off. You can restrict it the same way as below too.
Otherwise, define an ACL, and use 'ip access-group' on the 'line vty 0 4' section to disable management access to what you spec via the ACL.
Source IP is easy enough to fake, so any solution that lets an infected machine ping the Cisco, discover that it is a management port, and then hack away at different source IPs until an agreeable one is found, isn't a very secure solution.
I suppose we could assign an IP to the Cisco in a different subnet than the machines that connect through it, and then at least the hacker wouldn't find the device by pinging to all available addresses in the visible subnet.
Will the Cisco 2924 do something really stupid like ARP its IP constantly, even when it is not being contacted? Is there some secret packet a hacker could broadcast that would force the Cisco to belch back its IP?
No, not as such "restricting access to a certain physical interface" on the box. The 2924 are Layer 2 devices.
You can do one or more of the following:
- use access lists to restrict access to vital services on the box to certain IP addresses or networks=20
- put the management interface of the switch (interface vlan) i= n a vlan different from those the normal users are in, if you put then a port in that vlan only that port can connect to the management interfac= e of the switch
Ciao Chris
--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]
For that level of security for your management functions, you could throw a single port into a mangement VLAN, and assign the switch IP onto the new VLAN interface.
Assuming all ports are by default in VLAN1, it would look something like:
vlan d vlan 222 state active exit conf t int Fa0/1 descr Network Management switchport access vlan 222 int VLAN1 shut int VLAN222 ip addr h.h.h.h n.n.n.n
You can even throw on ACLs when you're done.
-Steve
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.