ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. ROUTER(config)#control-plane host ROUTER(config-cp-host)#management-interface vlan13 allow ? beep Beep Protocol ftp File Transfer Protocol http HTTP Protocol https HTTPS Protocol snmp Simple Network Management Protocol ssh Secure Shell Protocol telnet Telnet Protocol tftp Trivial File Transfer Protocol tl1 Transaction Language Session Protocol
ROUTER#show control-plane host open-ports
Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN udp *:123 *:0 NTP LISTEN
Telnet is there by default. SSH and NTP showed up once I configured them. We should disable telnet. There never really was a way to disable telnet, all we could do is not use it and configure SSH and permit it. Telnet was still running though. Even though we still can’t disable telnet, this is the next best thing. First we create the class map. In this example we’re dropping packets that are destined to the router for ports that are not open [match closed-ports]. That certainly makes sense. Let’s also drop all telnet connects too [match port tcp 23]. Now this may be belt-and-suspenders when also configuring transport under the VTY’s, but I like the idea of being able to “firewall” my control plane.
class-map type port-filter match-any CLOSED_PORTS match closed-ports match port tcp 23
Next we create the policy map. In the real world you probably don’t want the log keyword, but it’s helpful when learning stuff in the lab.
policy-map type port-filter FILTER_CLOSED_PORTS class CLOSED_PORTS drop log
We apply it to the control plane and then test.
control-plane host service-policy type port-filter input FILTER_CLOSED_PORTS
I tried to telnet from a neighboring router and I was denied. On the host router I had the following in the buffer log.
*Nov 8 18:33:03.089: %CP-6-TCP: DROP TCP/UDP Portfilter 192.168.100.2(47624) -> 192.168.100.1(23)
Awesome. One thing to note is that you may want to completely configure your router before applying this. There may be things running you were not expecting. I didn’t allow DHCP and that broke my home network since my router is running DHCP