ACL doubt

Answered Question
Aug 25th, 2008

Hi. I have a little doubt about ACLs:

If I apply an ACL (denying all in/out telnet connections) to the interface VLAN 5 with IP address 192.168.1.254 is it still possible to telnet to IP 192.168.1.254? To the other IP addresses on this network I know it's not possible.

Thanks.

I have this problem too.
0 votes
Correct Answer by Collin Clark about 8 years 3 months ago

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Collin Clark Mon, 08/25/2008 - 09:16

No, assuming that your ACL is blocking the entire /24 subnet.

Hope that helps.

Farrukh Haroon Mon, 08/25/2008 - 10:54

Well telnet won't be possible to that IP, but the device could be reachable via other IPs. IF I understand your question correctly.

Regards

Farrukh

joseramada Wed, 08/27/2008 - 07:10

yes, that's the point.

Our network has more than 200 VLANs on a Catalyst 6500. I think it is not a good policy to apply an ACL denying telnet and other protocols to each VLAN interface (IP address), because of cpu performance. Is that correct? I want a mix of security and performance.

Should I change management access type to ssh and not telnet?

Where, on 6500, can I define what adresses/networks can manage it and also defining through which protocols?

Security tips are welcome. :)

thanks for the help.

Collin Clark Wed, 08/27/2008 - 07:22

Instead of securing each interface, secure the management plane. Here's an example of using an ACL. Let's say you only want two IP's to be able to telnet to the 6500, 192.168.1.15 and .20. First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. Here is a good book on securing routers and switches.

http://www.amazon.com/Hardening-Cisco-Routers-OReilly-Networking/dp/0596001665/ref=sr_1_6?ie=UTF8&s=books&qid=1219850517&sr=8-6

Hope that helps.

Farrukh Haroon Wed, 08/27/2008 - 08:13

Yes I would agree, instead of filtering telnet on each vlan, just secure the control plane via a VTY access-list.

No don't go for telnet, its totally clear-text and lame :) SSH is the way to go.

Regards

Farrukh

joseramada Wed, 08/27/2008 - 08:42

hi again.

collin, you said

"First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. "

if I implement SSH can it be used a scheme like this one or SSH with its encryption just doesn't need this type of control? is there a link explaining ssh config on 6500?

tx.

Correct Answer
Collin Clark Wed, 08/27/2008 - 08:56

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

Actions

This Discussion