05-09-2005 02:03 AM - edited 03-02-2019 10:42 PM
I'm trying to restrict telnet access to a 6500 switch with multiple VLAN interfaces. However, I want to restrict it based on destination address, not source address. I've tried the obvious access list, e.g., access-list 101 permit ip any host x.x.x.x but then the switch just blocks all telnet attempts. Does anyone know why this doesn't work?
The reason I'm trying to do this is so that people can only telnet to the management VLAN address of the switch. The management VLAN sits on the inside of a Firewall Service Module, so I can then use the firewall to control access.
The only workaround I can think of is to apply filters on all VLAN interfaces to deny telnet traffic to any VLAN inteface IP address except the management one. The switch has a Sup720, so I think the ACLs are handled by the ASICs. Can anyone confirm that?
Any help is much appreciated.
Chris
05-09-2005 03:31 AM
It should be:
access-list 101 permit tcp any host x.x.x.x eq 23
-Don
05-09-2005 04:02 AM
Hi Don,
I tried that as well. It still blocks telnet access to the switch. The interesting thing is that if I add a deny any any log as the next line, I can see the incoming telnet request being denied. The strange thing is that in the log it shows the destination address as 0.0.0.0. However, a debug IP packet shows the correct destination address.
Cheers,
Chris
05-09-2005 05:37 AM
Are you trying this on the Sup or the MSFC? If on the MSFC, did you try an access-class statement (with ACL) under the vty interface? Sam
05-09-2005 06:05 AM
In general I agree that the optimum solution for restricting telnet access is to use access-class. However the original post specified that they want to restrict telnet by destination address and access-class only restricts by source address.
If the objective can not be attained by access-class then I believe the only real alternative is access-group inbound on all VLAN interfaces with a statement denying telnet to all interface addresses.
HTH
Rick
05-09-2005 06:55 AM
Sam - The switch is running Native IOS so I had the access class applied to all vty lines.
Rick - Thanks for the confirmation. I don't suppose you know why an access class only works for source addressing do you?
05-09-2005 10:07 AM
Chris
I do not know an authoritative answer about why it checks only source address. I have done testing on this and had results similar to yours. I do have a theory about why it checks only source address and I will be glad to share that theory.
The beginning of my theory is based on the fact that one advantage of access class on vty (as compared to access group on interfaces) is that it is only applied to packets whose destination was some router interface and therefore you do not need to put a filter on every interface. The access class is only invoked when the router has determined that the destination address is the router itself. Based on this I believe that the software that does the checking of access class ignores the destination address (treats the address as 0.0.0.0) since it already knows that the destination was some address on the router.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide