02-02-2007 05:57 AM - edited 03-05-2019 02:08 PM
we have switches on CatOS 6.4.10 and IOS 12.2.18.
On the 12.2.18 we have only SSH access and on the CatOS 6.4.10, telnet access. We now want to remove the telnet access from all switches and routers. Is there any other way we can connect to these devices apart from telnet. And also how else do we connect to remote devices?
Also is it possible to remove the telnet protocol altogether from all switches and routers because of security reasons?
Thanks
02-02-2007 06:24 AM
At a low level:
Router:
conf t
line vty 0 4 (0 15 for switches)
no password
If there is no password set for telnet sessions, the router will not accept the connection.
Mabye ACL's:
access-list 111 deny tcp any host
access-list 111 permit ip any any
and, in the WAN interface:
access-group 111 in
If you want to completely block telnet then use "transport input none" and/or use a different transport like "transport input ssh". That will completely disable telnet access to the router.
Removing the password from the VTY lines is almost as effective. You can still telnet to the router but it immediately tells you that a password is required but none is set, and it drops the connection.
HTH, please rate
02-02-2007 07:27 AM
Thanks
This is on the Routers.
But I want to be able to do this on the switches e.g. Cat 4006 and Cat 4003 with Cat 6.4.10 CatOS version.
Wil what you have written stop for example my workstation from telnet to a Unix Server?
02-02-2007 07:24 AM
If you have the correct code most newer switches do support SSH even catos boxes .
02-02-2007 12:03 PM
The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.
In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide