08-29-2015 03:28 PM - edited 03-08-2019 01:34 AM
Hi All,
I am unable to telnet my access switch which is in network.With ip 10.120.232.12 actually i am able to login through ssh but am unable to login through the telnet.
show run interface vlan 10
Building configuration...
Current configuration : 242 bytes
!
interface Vlan10
description *******MANAGEMENT VLAN*******
ip address 10.120.232.2 255.255.255.224
no ip redirects
no ip unreachables
Above is the my management vlan which was created in my coreswitch am getting these kind of error while logging.After configuring the telnet as given below still am getting the below error.
line vty 0 4
session-timeout 5
access-class 3 in
exec-timeout 5 0
password 7 104D000A0618
transport input telnet ssh
transport output all
Error message:
telnet 10.120.232.12
Trying 10.120.232.12 ...
% Connection refused by remote host
Please help me in this issue.Thanks in advance.
Solved! Go to Solution.
08-31-2015 02:01 AM
Hi you have an acl on the vty port are you coming from a permitted source of this acl otherwise you will be blocked , you need to make sure your ip range/address is allowed and included in this acl . acl may just be set to eq 22 check that eq 23 is also allowed for telnet
line vty 0 4
session-timeout 5
access-class 3 in
08-31-2015 02:01 AM
Hi you have an acl on the vty port are you coming from a permitted source of this acl otherwise you will be blocked , you need to make sure your ip range/address is allowed and included in this acl . acl may just be set to eq 22 check that eq 23 is also allowed for telnet
line vty 0 4
session-timeout 5
access-class 3 in
09-01-2015 06:42 AM
Hi Mark,
Thanks for the reply below are the permit statements allowed it access-list 3.Please guide how to check the what rules written in access-class 3.And able to telnet the below ip 10.136.169.110,10.120.232.25,202.9.192.64and202.9.192.96.
access-list 3 permit 10.136.169.110 access-list 3 permit 10.120.232.25 access-list 3 permit 202.9.192.64 0.0.0.31 access-list 3 permit 202.9.192.96 0.0.0.31
09-01-2015 07:26 AM
Hi
is that the access-list 3 off the router your trying to telnet too 10.120.232.12 ? You would need to provide that ACL as we need to see whats allowed inbound to the router
By the way its good telnet is not working you should only use ssh when possible as telnet can be sniffed on the wire for passwords , so unless there's a specific reason you want it on i would leave it off as its a security hole
09-01-2015 11:52 AM
Hi,
As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.
As you suggested ssh is a good practice thanks for that .But how can i check what rules are written in access-class 3.
If am using the show access-lists 3
Standard IP access list 3
60 permit 10.136.169.110 (839 matches)
70 permit 10.115.50.30 (1751 matches)
80 permit 10.201.51.152
50 permit 10.120.232.25 (226 matches)
30 permit 202.9.192.64, wildcard bits 0.0.0.31 (1606 matches)
40 permit 202.9.192.96, wildcard bits 0.0.0.31 (60 matches)
So please suggest me how to check what has been blocked in purticular ACL.
09-01-2015 12:10 PM
Hello
Hello I dont see any ace entry in this acl denyig port 23 ( telnet)
Is it possible you have (control plane policing) CPP enabled?
sh access-lists
sh control-plane feature
res
Paul
09-01-2015 12:14 PM
Hi,
unable to execute the below command.I am using the command in cisco 6500 swithc
FYI
show control-plane feature
^
% Invalid input detected at '^' marker.
09-01-2015 12:29 PM
Hello
Stratch that just noticed this query is regards a L3 switch - its not applicable
res
Paul
09-01-2015 12:29 PM
Hi,
As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.
09-02-2015 12:51 AM
Hi the acls maybe created in the core switch but even a layer 2 switch would have an acl under its vty port to prevent unwanted access if its manageable remotely ,so you need to get onto the switch that your trying to access check the vty port, see what access-class is applied to it and then post the access-list from that specific switch thats tied to the port
As an example this is a layer 2 switch only trunked in my network below , has 1 mgmt ip for access but also has and acl applied at the vty port for control of who can access it,i have cut it down as its very long
If you can post your access-list off the specific switch we can look at it but as Paul said there is no telnet blocked in the acl provided above , your allowing each of those ips and there will be an implicit deny blocking everything else , your not using an extended acl to allow/deny tcp/udp etc
sw-AC1#sh run | b line vty
line vty 0 4
access-class 124 in
exec-timeout 30 0
transport input ssh
sw-AC1#sh access-lists 124
Extended IP access list 124
10 permit tcp host 172.19.154.53 any eq 22 (1626 matches)
20 permit tcp host 172.19.246.240 any eq 22 (58 matches)
30 permit tcp host 172.19.249.77 any eq 22 (20 matches)
40 permit tcp host 172.19.152.223 any eq 22
230 deny ip any any log (22 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide