topic Hi, As all the ACL's are in Switching

Telnet problem to access switch

anirudh12b9 — Fri, 08 Mar 2019 09:34:03 GMT

Hi All,

I am unable to telnet my access switch which is in network.With ip 10.120.232.12 actually i am able to login through ssh but am unable to login through the telnet.

show run interface vlan 10
Building configuration...

Current configuration : 242 bytes
!
interface Vlan10
description *******MANAGEMENT VLAN*******
ip address 10.120.232.2 255.255.255.224
no ip redirects
no ip unreachables

Above is the my management vlan which was created in my coreswitch am getting these kind of error while logging.After configuring the telnet as given below still am getting the below error.

line vty 0 4
session-timeout 5
access-class 3 in
exec-timeout 5 0
password 7 104D000A0618
transport input telnet ssh
transport output all

Error message:

telnet 10.120.232.12
Trying 10.120.232.12 ...
% Connection refused by remote host

Please help me in this issue.Thanks in advance.

you have an acl on the vty

Mark Malone — Mon, 31 Aug 2015 09:01:05 GMT

Hi you have an acl on the vty port are you coming from a permitted source of this acl otherwise you will be blocked , you need to make sure your ip range/address is allowed and included in this acl . acl may just be set to eq 22 check that eq 23 is also allowed for telnet

line vty 0 4
session-timeout 5
access-class 3 in

Hi Mark,

anirudh12b9 — Tue, 01 Sep 2015 13:42:27 GMT

Hi Mark,

Thanks for the reply below are the permit statements allowed it access-list 3.Please guide how to check the what rules written in access-class 3.And able to telnet the below ip 10.136.169.110,10.120.232.25,202.9.192.64and202.9.192.96.

access-list 3 permit 10.136.169.110
access-list 3 permit 10.120.232.25
access-list 3 permit 202.9.192.64 0.0.0.31
access-list 3 permit 202.9.192.96 0.0.0.31

Hiis that the access-list 3

Mark Malone — Tue, 01 Sep 2015 14:26:19 GMT

is that the access-list 3 off the router your trying to telnet too 10.120.232.12 ? You would need to provide that ACL as we need to see whats allowed inbound to the router

By the way its good telnet is not working you should only use ssh when possible as telnet can be sniffed on the wire for passwords , so unless there's a specific reason you want it on i would leave it off as its a security hole

Hi,As all the ACL's are

anirudh12b9 — Tue, 01 Sep 2015 18:52:33 GMT

Hi,

As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.

As you suggested ssh is a good practice thanks for that .But how can i check what rules are written in access-class 3.

If am using the show access-lists 3
Standard IP access list 3
60 permit 10.136.169.110 (839 matches)
70 permit 10.115.50.30 (1751 matches)
80 permit 10.201.51.152
50 permit 10.120.232.25 (226 matches)
30 permit 202.9.192.64, wildcard bits 0.0.0.31 (1606 matches)
40 permit 202.9.192.96, wildcard bits 0.0.0.31 (60 matches)

So please suggest me how to check what has been blocked in purticular ACL.

HelloHello I dont see any ace

paul driver — Tue, 01 Sep 2015 19:10:28 GMT

Hello

Hello I dont see any ace entry in this acl denyig port 23 ( telnet)

Is it possible you have (control plane policing) CPP enabled?

sh access-lists
sh control-plane feature

res

Paul

Hi,unable to execute the

anirudh12b9 — Tue, 01 Sep 2015 19:14:32 GMT

Hi,

unable to execute the below command.I am using the command in cisco 6500 swithc

FYI

show control-plane feature
^
% Invalid input detected at '^' marker.

HelloStratch that just

paul driver — Tue, 01 Sep 2015 19:29:21 GMT

Hello

Stratch that just noticed this query is regards a L3 switch - its not applicable

res

Paul

Hi, As all the ACL's are

anirudh12b9 — Tue, 01 Sep 2015 19:29:22 GMT

Hi,

As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.

Hi the acls maybe created in

Mark Malone — Wed, 02 Sep 2015 07:51:47 GMT

Hi the acls maybe created in the core switch but even a layer 2 switch would have an acl under its vty port to prevent unwanted access if its manageable remotely ,so you need to get onto the switch that your trying to access check the vty port, see what access-class is applied to it and then post the access-list from that specific switch thats tied to the port

As an example this is a layer 2 switch only trunked in my network below , has 1 mgmt ip for access but also has and acl applied at the vty port for control of who can access it,i have cut it down as its very long

If you can post your access-list off the specific switch we can look at it but as Paul said there is no telnet blocked in the acl provided above , your allowing each of those ips and there will be an implicit deny blocking everything else , your not using an extended acl to allow/deny tcp/udp etc

sw-AC1#sh run | b line vty
line vty 0 4
access-class 124 in
exec-timeout 30 0
transport input ssh

sw-AC1#sh access-lists 124
Extended IP access list 124
    10 permit tcp host 172.19.154.53 any eq 22 (1626 matches)
    20 permit tcp host 172.19.246.240 any eq 22 (58 matches)
    30 permit tcp host 172.19.249.77 any eq 22 (20 matches)
    40 permit tcp host 172.19.152.223 any eq 22
    230 deny ip any any log (22 matches)