02-02-2007 06:22 AM - edited 03-05-2019 02:08 PM
We want to turn off Telnet access to anywhere throughout the network. And we will like to achieve this via the Switches which is where all the devices connect to.
Is there a command that can be used on the Switches to not allow telnet through it at all, so that no one device can do a telnet to anywhere?
Thanks
02-02-2007 07:06 AM
An ACL on the L3 VLAN interface would stop it.
HTH and please rate
02-02-2007 07:22 AM
Thanks.
We have many so many VLANs. So how will I write this ACL.
access-list deny any any eq 23
Can I write this as a global command.
Will this stop any device such as my workstation being able to do a telnet to a UNIX server for example?
Thanks
02-02-2007 07:27 AM
Your ACL is good. You will have to apply the ACL to each VLAN interface and it will block everyone from telnetting to anything outside of the local network. Anything on the local network, they can still telnet too.
02-02-2007 08:21 AM
if you want to block telnet to your switch, do the following:
#line vty 0 4
it will block any telnet, and the only way to see the config of the switch would be via console port.
#transport input none
Also check if your switch has this line:
#line vty 5 15
if it does have it, do the same:
#transport input none
02-02-2007 10:28 AM
Thanks
This is for telnet to the switch. What I really want to know is telnet though the Switch.
Can a command be written in OS that will stop telnet through the switch?
Thanks
02-02-2007 11:02 AM
VACLs will do excatly what what you are trying to accomplish. The ACL is applied to traffic globally to VLANs and all traffic that matches the VACL is processed according to the VACL policies. In your case, you can deny telnet and allow all other traffic in VACLs.
Check out the link below for more info:
HTH
Sundar
02-02-2007 11:58 AM
The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.
In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.
02-07-2007 02:26 AM
Yes, I know. Thanks. But this is stil telnet TO the switch. I dont want any of the workstation to be able to telnet to any other workstation connected to the switch.
Thanks
02-07-2007 02:59 AM
Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip any ANY telnet
Switch(config-acl)# exit
Switch(config)# vlan access-map block-17 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map block-17 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"
change the destination ip to any ---> ANY
02-06-2007 10:11 AM
I guess this is what your talking about. This is a global command. applied generally to a vlan, otherwise known as Vlan Access-List.
Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip any host that.switch.ip.address eq telnet
Switch(config-acl)# exit
Switch(config)# vlan access-map block-17 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map block-17 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"
Hope it helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: