Access to Switches/Router on CatOS or Cisco IOS

Unanswered Question
Feb 2nd, 2007

we have switches on CatOS 6.4.10 and IOS 12.2.18.

On the 12.2.18 we have only SSH access and on the CatOS 6.4.10, telnet access. We now want to remove the telnet access from all switches and routers. Is there any other way we can connect to these devices apart from telnet. And also how else do we connect to remote devices?

Also is it possible to remove the telnet protocol altogether from all switches and routers because of security reasons?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eofelt Fri, 02/02/2007 - 06:24

At a low level:

Router:

conf t

line vty 0 4 (0 15 for switches)

no password

If there is no password set for telnet sessions, the router will not accept the connection.

Mabye ACL's:

access-list 111 deny tcp any host eq 23

access-list 111 permit ip any any

and, in the WAN interface:

access-group 111 in

If you want to completely block telnet then use "transport input none" and/or use a different transport like "transport input ssh". That will completely disable telnet access to the router.

Removing the password from the VTY lines is almost as effective. You can still telnet to the router but it immediately tells you that a password is required but none is set, and it drops the connection.

HTH, please rate

londint Fri, 02/02/2007 - 07:27

Thanks

This is on the Routers.

But I want to be able to do this on the switches e.g. Cat 4006 and Cat 4003 with Cat 6.4.10 CatOS version.

Wil what you have written stop for example my workstation from telnet to a Unix Server?

glen.grant Fri, 02/02/2007 - 07:24

If you have the correct code most newer switches do support SSH even catos boxes .

adnan.zafar Fri, 02/02/2007 - 12:03

The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.

In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.

Actions

This Discussion