Telnet Access

Unanswered Question
Feb 2nd, 2007

We want to turn off Telnet access to anywhere throughout the network. And we will like to achieve this via the Switches which is where all the devices connect to.

Is there a command that can be used on the Switches to not allow telnet through it at all, so that no one device can do a telnet to anywhere?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
londint Fri, 02/02/2007 - 07:22

Thanks.

We have many so many VLANs. So how will I write this ACL.

access-list deny any any eq 23

Can I write this as a global command.

Will this stop any device such as my workstation being able to do a telnet to a UNIX server for example?

Thanks

Collin Clark Fri, 02/02/2007 - 07:27

Your ACL is good. You will have to apply the ACL to each VLAN interface and it will block everyone from telnetting to anything outside of the local network. Anything on the local network, they can still telnet too.

aperez2004 Fri, 02/02/2007 - 08:21

if you want to block telnet to your switch, do the following:

#line vty 0 4

it will block any telnet, and the only way to see the config of the switch would be via console port.

#transport input none

Also check if your switch has this line:

#line vty 5 15

if it does have it, do the same:

#transport input none

londint Fri, 02/02/2007 - 10:28

Thanks

This is for telnet to the switch. What I really want to know is telnet though the Switch.

Can a command be written in OS that will stop telnet through the switch?

Thanks

sundar.palaniappan Fri, 02/02/2007 - 11:02

VACLs will do excatly what what you are trying to accomplish. The ACL is applied to traffic globally to VLANs and all traffic that matches the VACL is processed according to the VACL policies. In your case, you can deny telnet and allow all other traffic in VACLs.

Check out the link below for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html#wp1054144

HTH

Sundar

adnan.zafar Fri, 02/02/2007 - 11:58

The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.

In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.

londint Wed, 02/07/2007 - 02:26

Yes, I know. Thanks. But this is stil telnet TO the switch. I dont want any of the workstation to be able to telnet to any other workstation connected to the switch.

Thanks

ahmedchohan Wed, 02/07/2007 - 02:59

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any ANY telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

change the destination ip to any ---> ANY

ahmedchohan Tue, 02/06/2007 - 10:11

I guess this is what your talking about. This is a global command. applied generally to a vlan, otherwise known as Vlan Access-List.

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any host that.switch.ip.address eq telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

Hope it helps.

Actions

This Discussion