cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7190
Views
0
Helpful
4
Replies

Restrict Telnet Access to FastE port or VLAN

Jake Pratt
Level 1
Level 1

I am using a Catalyst 3560 POE 8 switch to terminate my metro internet connection.  I have my external stuff setup on VLAN 999 on F0/1, and my internal stuff is on VLAN 666 on F0/2 and F0/3.  My question is, I recently realized that my VLAN 999 (which is exposed to the internet) also has telnet enabled.  I need to shut that down.  But I also need to retain telnet access from the inside.

I'm not sure if I can get ssh working on this switch.  It doesn't have a crypto load, and I don't know if it has enough RAM to get one.  I suppose that's one thing I could spend a little more time looking at.  But my real question, at least for now, is "how can I enable telnet on some switchports or VLAN's (F0/2, F0/3, VLAN 666), and disable it on others (F0/1, VLAN 999)?  Is that possible.

I will be happy to post my config, or show version information if it will be helpful.  I have a lot of basic Cisco experience, but I'm nowhere near an expert.

Thanks in advance!

Jake

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jake,

under line vty 0 5

you can invoke a standard ACL using

access-class in xx

access-list xx permit 10.66.66.0

the ACL can specify the IP subnet associated to the inside Vlan

note:

the switch may have more vty lines then 0 - 5 be aware of this

you need to configure on all of them for your safety

Hope to help

Giuseppe

Thanks Giuseppe

I should have thought of using an ACL!  For some reason, I can't seem to get my access-list working correctly, though.  Maybe you have some thoughts.  It's a C3560, running 12.2(35r)SE2 code, so it's pretty old.  Basically, I'm trying to set my ACL, so that everyone on the 10.1.x.x network (for example) will be able to telnet into the device.

I've added:

line vty 0 15

access-class 10 in

I've tried:

access-list 10 permit 10.1.0.0 0.0.255.255

access-list 10 permit 10.1.0.0 255.255.0.0 --> it changes it to 0.0.0.0 255.255.0.0

access-list 10 permit 10.1.0.0

and my specific IP address:

access-list 10 permit 10.1.71.4 (example address)

access-list 10 permit 10.1.71.4 255.255.255.255

access-list 10 permit 10.1.71.4 0.0.0.0

Everyone of these ACL's blocks all telnet traffic inside and out.  Am I missing something with my syntax?

Thanks

Jake

I know this thread has been abandoned for a long time, but after opening up another ticket on Experts-Exchange, I figured out the problem.  I had the ACL correct, but I wasn't thinking about my addressing properly.  If I really wanted to to only allow access to the 10.1.0.0 network, then this would have worked:

access-list 10 permit 10.1.0.0 0.0.255.255

line vty 0 15

access-class 10 in

The problem is that the switch is sitting on the outside of my ASA's, so it's all on my public addressing.  All I did was change the ACL to show the outside addresses of my ASA's, and it works like a charm:

access-list 10 permit host x.x.x.a (outside address of primary ASA)

access-list 10 permit host x.x.x.b (outside address of failover ASA)

line vty 0 15

access-class 10 in

Now telnet works from the inside, but not the outside.  Problem solved!

Remember to mark Guiseppe's post as "Correct Answer" so that he gets his due credit for helping you out here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco