cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
3
Helpful
10
Replies

ACL doubt

joseramada
Level 1
Level 1

Hi. I have a little doubt about ACLs:

If I apply an ACL (denying all in/out telnet connections) to the interface VLAN 5 with IP address 192.168.1.254 is it still possible to telnet to IP 192.168.1.254? To the other IP addresses on this network I know it's not possible.

Thanks.

1 Accepted Solution

Accepted Solutions

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

View solution in original post

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

No, assuming that your ACL is blocking the entire /24 subnet.

Hope that helps.

Farrukh Haroon
VIP Alumni
VIP Alumni

Well telnet won't be possible to that IP, but the device could be reachable via other IPs. IF I understand your question correctly.

Regards

Farrukh

yes, that's the point.

Our network has more than 200 VLANs on a Catalyst 6500. I think it is not a good policy to apply an ACL denying telnet and other protocols to each VLAN interface (IP address), because of cpu performance. Is that correct? I want a mix of security and performance.

Should I change management access type to ssh and not telnet?

Where, on 6500, can I define what adresses/networks can manage it and also defining through which protocols?

Security tips are welcome. :)

thanks for the help.

Instead of securing each interface, secure the management plane. Here's an example of using an ACL. Let's say you only want two IP's to be able to telnet to the 6500, 192.168.1.15 and .20. First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. Here is a good book on securing routers and switches.

http://www.amazon.com/Hardening-Cisco-Routers-OReilly-Networking/dp/0596001665/ref=sr_1_6?ie=UTF8&s=books&qid=1219850517&sr=8-6

Hope that helps.

Yes I would agree, instead of filtering telnet on each vlan, just secure the control plane via a VTY access-list.

No don't go for telnet, its totally clear-text and lame :) SSH is the way to go.

Regards

Farrukh

thanks a lot guys!

hi again.

collin, you said

"First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. "

if I implement SSH can it be used a scheme like this one or SSH with its encryption just doesn't need this type of control? is there a link explaining ssh config on 6500?

tx.

Here is a link:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_SSH_(Secure_Shell)_on_Catalyst_switches

Just make sure your switch supports crypto.

No the ACL and SSH both are required for a secure configuration.

Regards

Farrukh

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

thanks for the help.

now i know what has to be done.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: