Switch telnet control through acl or other means

zhang-hao · ‎07-11-2003

Is there a possibility to limit telnet of pcs to core swithes with acl or other ways? I mean, for example, in a typical lan, two core layer 3 switches, server layer 2 access switches connected to both core switchers, my objective is to limit some of pcs connected to one layer 2 switche to telnet the core switches. I know i can use aaa authentication on core switches to chanllenge the action, my question is that, can i take some other means to limit the telnet based on port on layer 2 switches, for instance, 2950 switch, or to use extended acl on core switches to accomplish that?

any suggestion will be highly appreciated!

Thanks!

gfullage · ‎07-13-2003

You can limit by IP address who can login and who can't on both CatOS and IOS switches.

For IOS, just use an access-class on the VTY ports to limit what IP addresses can telnet in as follows:

> access-list 1 permit 10.1.1.1

> access-list 1 permit 10.1.1.5

> line vty 0 4

> access-class 1 in

For CatOS, you use an IP permit list as follows:

> set ip permit 10.1.1.1 telnet

> set ip permit 10.1.1.5 permit

> set ip permit enable telnet

Both the above scenarios allow 10.1.1.1 and 10.1.1.5 to telnet to the switch. You can allow more IP addresses just by adding more lines to your config. MAKE SURE you add your own IP address in otherwise you'll lock yourself out.

zhang-hao · ‎07-13-2003

Well, thanks. But can i do this by limit a certain subnet or specify a certain range of ip addresses, since the pcs get the ip addresses by DHCP.