Dear expert,

petercinvest · ‎08-27-2015

we want to disable client telnet to switch 1, how to do it?

we also want to block IP 192.168.0.2--192.168.1.23 to logon to switch1, router 2 and voice gateway 1 management port, how to do in case of switch, router and VG? thanks

Mark Malone · ‎08-27-2015

if you want to disable telnet then you only allow ssh , use version 2 only and don't make it backward compatible , you will know when you do show ip ssh it should say v2 only

ip ssh v2

ip ssh timeout 60

ip domain name cisco

cry key generate rsa 1024

line vty 0 4

transport input ssh

acl restriction same for each device you block it on the vty port using access-class

you can only block by host or by the whole subnet not by range of the subnet , the example blocks the whole /24 or else you will need to set it to host-host

example

line vty 0 4

access-classs 100 in

exit

access-list 100 deny tcp 192.168.0.0 255.255.255.0 any eq 22

or
access-list 100 deny tcp host 192.168.0.2 any eq 22

petercinvest · ‎12-08-2015

Dear expert,

below codes didn't work:

line vty 0 4

access-classs 100 in

exit

access-list 100 deny tcp 192.168.0.0 255.255.255.0 any eq 22

I want to block 192.168.0.0 and 192.168.1.0 to 192.168.1.23

and allow 192.168.2.0, 192.168.1.24 to access, now 192.168.2.0 also can't access, before we can access

192.168.1.24 also can't acess through SSH

192.168.0.0 can't access, which is fine

petercinvest · ‎12-08-2015

when I config access-list 100 deny tcp 192.168.0.0 255.255.255.0 any eq 22

then I check run config, it shows access-list 100 deny tcp 0.0..0.0 255.255.255.0 any eq 22

why it become like this?

Mark Malone · ‎12-09-2015

reverse the subnet mask to 0.0.0.255 exts acls use wildcards

access-list 100 deny tcp 192.168.0.0 0.0.0.255 any eq 22

petercinvest · ‎12-09-2015

not working again, 192.168.0.0 is our data vlan, now no ip can access switch using ssh.

let me put simple, I only want 192.168.2.0 to access switch using ssh, rest deny. pls advice how to write code

Mark Malone · ‎12-09-2015

access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq 22

access-list 100 deny ip any any

line vty 0 4

access-classs 100 in

petercinvest · ‎12-09-2015

Dear Expert,

192.168.2.131 is my workstation using LAN cable, now if I use wifi connection, my IP is 192.168.3.25, also this IP can connect to switch using SSH-22 port, so the script you provide is not working so far, because 192.168.3.0 should be denied.

My script as follows:

access-list 100 permit tcp host 192.168.2.131 any eq 22
access-list 100 deny ip any any

line con 0
exec-timeout 0 0
password 7 0100030866552
login
line vty 0 4
access-class 100 in
login local
length 0
transport input ssh

Mark Malone · ‎12-10-2015

That's the line you asked "I only want 192.168.2.0 to access switch using ssh"

what I gave you is anything from 192.168.2.0/24 can access any ip on port 22 and deny everything else in the last line

I don't see how the 192.168.3.0 network is getting through as its not specified in the acl and the last line denys all

Try this

access-list 100 permit tcp host 192.168.2.131 any eq 22

access-list 100 deny tcp 192.168.3.0 0.0.0.255 any eq 22

access-list 100 deny ip any any

logon security measure