Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
6
Replies

Restricting telnet access on a 6500

c.alison
Level 1
Level 1

‎05-09-2005 02:03 AM - edited ‎03-02-2019 10:42 PM

I'm trying to restrict telnet access to a 6500 switch with multiple VLAN interfaces. However, I want to restrict it based on destination address, not source address. I've tried the obvious access list, e.g., access-list 101 permit ip any host x.x.x.x but then the switch just blocks all telnet attempts. Does anyone know why this doesn't work?

The reason I'm trying to do this is so that people can only telnet to the management VLAN address of the switch. The management VLAN sits on the inside of a Firewall Service Module, so I can then use the firewall to control access.

The only workaround I can think of is to apply filters on all VLAN interfaces to deny telnet traffic to any VLAN inteface IP address except the management one. The switch has a Sup720, so I think the ACLs are handled by the ASICs. Can anyone confirm that?

Any help is much appreciated.

Chris

Labels:
0 Helpful
6 Replies 6

djohnston
Level 1
Level 1

‎05-09-2005 03:31 AM

It should be:

access-list 101 permit tcp any host x.x.x.x eq 23

-Don

0 Helpful

c.alison
Level 1
Level 1
In response to djohnston

‎05-09-2005 04:02 AM

Hi Don,

I tried that as well. It still blocks telnet access to the switch. The interesting thing is that if I add a deny any any log as the next line, I can see the incoming telnet request being denied. The strange thing is that in the log it shows the destination address as 0.0.0.0. However, a debug IP packet shows the correct destination address.

Cheers,

Chris

0 Helpful

scamarda
Cisco Employee
Cisco Employee
In response to c.alison

‎05-09-2005 05:37 AM

Are you trying this on the Sup or the MSFC? If on the MSFC, did you try an access-class statement (with ACL) under the vty interface? Sam

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to scamarda

‎05-09-2005 06:05 AM

In general I agree that the optimum solution for restricting telnet access is to use access-class. However the original post specified that they want to restrict telnet by destination address and access-class only restricts by source address.

If the objective can not be attained by access-class then I believe the only real alternative is access-group inbound on all VLAN interfaces with a statement denying telnet to all interface addresses.

HTH

Rick

HTH

Rick
0 Helpful

c.alison
Level 1
Level 1
In response to Richard Burts

‎05-09-2005 06:55 AM

Sam - The switch is running Native IOS so I had the access class applied to all vty lines.

Rick - Thanks for the confirmation. I don't suppose you know why an access class only works for source addressing do you?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to c.alison

‎05-09-2005 10:07 AM

Chris

I do not know an authoritative answer about why it checks only source address. I have done testing on this and had results similar to yours. I do have a theory about why it checks only source address and I will be glad to share that theory.

The beginning of my theory is based on the fact that one advantage of access class on vty (as compared to access group on interfaces) is that it is only applied to packets whose destination was some router interface and therefore you do not need to put a filter on every interface. The access class is only invoked when the router has determined that the destination address is the router itself. Based on this I believe that the software that does the checking of access class ignores the destination address (treats the address as 0.0.0.0) since it already knows that the destination was some address on the router.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card