Solved: Re: ACL doubt

joseramada · ‎08-25-2008

Hi. I have a little doubt about ACLs:

If I apply an ACL (denying all in/out telnet connections) to the interface VLAN 5 with IP address 192.168.1.254 is it still possible to telnet to IP 192.168.1.254? To the other IP addresses on this network I know it's not possible.

Thanks.

Collin Clark · ‎08-27-2008

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

View solution in original post

Collin Clark · ‎08-25-2008

No, assuming that your ACL is blocking the entire /24 subnet.

Hope that helps.

Farrukh Haroon · ‎08-25-2008

Well telnet won't be possible to that IP, but the device could be reachable via other IPs. IF I understand your question correctly.

Regards

Farrukh

joseramada · ‎08-27-2008

yes, that's the point.

Our network has more than 200 VLANs on a Catalyst 6500. I think it is not a good policy to apply an ACL denying telnet and other protocols to each VLAN interface (IP address), because of cpu performance. Is that correct? I want a mix of security and performance.

Should I change management access type to ssh and not telnet?

Where, on 6500, can I define what adresses/networks can manage it and also defining through which protocols?

Security tips are welcome. :)

thanks for the help.

Collin Clark · ‎08-27-2008

Instead of securing each interface, secure the management plane. Here's an example of using an ACL. Let's say you only want two IP's to be able to telnet to the 6500, 192.168.1.15 and .20. First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. Here is a good book on securing routers and switches.

http://www.amazon.com/Hardening-Cisco-Routers-OReilly-Networking/dp/0596001665/ref=sr_1_6?ie=UTF8&s=books&qid=1219850517&sr=8-6

Hope that helps.

Farrukh Haroon · ‎08-27-2008

Yes I would agree, instead of filtering telnet on each vlan, just secure the control plane via a VTY access-list.

No don't go for telnet, its totally clear-text and lame :) SSH is the way to go.

Regards

Farrukh

joseramada · ‎08-27-2008

thanks a lot guys!

joseramada · ‎08-27-2008

hi again.

collin, you said

"First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. "

if I implement SSH can it be used a scheme like this one or SSH with its encryption just doesn't need this type of control? is there a link explaining ssh config on 6500?

tx.

Farrukh Haroon · ‎08-27-2008

Here is a link:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_SSH_(Secure_Shell)_on_Catalyst_switches

Just make sure your switch supports crypto.

No the ACL and SSH both are required for a secure configuration.

Regards

Farrukh

Collin Clark · ‎08-27-2008

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

joseramada · ‎08-29-2008

thanks for the help.

now i know what has to be done.