cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
0
Helpful
10
Replies

Telnet Access

londint
Level 1
Level 1

We want to turn off Telnet access to anywhere throughout the network. And we will like to achieve this via the Switches which is where all the devices connect to.

Is there a command that can be used on the Switches to not allow telnet through it at all, so that no one device can do a telnet to anywhere?

Thanks

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

An ACL on the L3 VLAN interface would stop it.

HTH and please rate

Thanks.

We have many so many VLANs. So how will I write this ACL.

access-list deny any any eq 23

Can I write this as a global command.

Will this stop any device such as my workstation being able to do a telnet to a UNIX server for example?

Thanks

Your ACL is good. You will have to apply the ACL to each VLAN interface and it will block everyone from telnetting to anything outside of the local network. Anything on the local network, they can still telnet too.

if you want to block telnet to your switch, do the following:

#line vty 0 4

it will block any telnet, and the only way to see the config of the switch would be via console port.

#transport input none

Also check if your switch has this line:

#line vty 5 15

if it does have it, do the same:

#transport input none

Thanks

This is for telnet to the switch. What I really want to know is telnet though the Switch.

Can a command be written in OS that will stop telnet through the switch?

Thanks

VACLs will do excatly what what you are trying to accomplish. The ACL is applied to traffic globally to VLANs and all traffic that matches the VACL is processed according to the VACL policies. In your case, you can deny telnet and allow all other traffic in VACLs.

Check out the link below for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html#wp1054144

HTH

Sundar

adnan.zafar
Level 1
Level 1

The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.

In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.

Yes, I know. Thanks. But this is stil telnet TO the switch. I dont want any of the workstation to be able to telnet to any other workstation connected to the switch.

Thanks

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any ANY telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

change the destination ip to any ---> ANY

ahmedchohan
Level 1
Level 1

I guess this is what your talking about. This is a global command. applied generally to a vlan, otherwise known as Vlan Access-List.

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any host that.switch.ip.address eq telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

Hope it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco