Unable to Telent(Destination unreachable; gateway or host down )

Unanswered Question
May 14th, 2009
User Badges:

hi all


I need to restict telnet access to switches, mean i should able to telnet LAN Switches from core switch mangement vlan.


I have apllied ACL, but after applying ACL, i am able to ping access switch but i am unable to telnet, config is pasted below can some one help plz


On Core switch

int vlan 171

description Mgmt vlan

ip address 172.17.1.2 255.255.255.0


--------------


On access siwth i have apllied this config


access-list 110 permit ip 172.17.1.0 0.0.0.255 any

access-list 110 deny ip any any log


And on vlan interface i have apllied this


int vla171


ip aceess group 110 in



after this iam able to pin access switch from the core but uanble to telnet

erros pasted below

Core1ping 172.17.1.10


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-DC-1#tel

Core-DC-1#telnet 172.17.1.10

Trying 172.17.1.10 ...

% Destination unreachable; gateway or host down


Please help me on the same


srinivas sagar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Thu, 05/14/2009 - 05:41
User Badges:
  • Cisco Employee,

Hi,


ACL on an interface impact all the traffic received or sent over this interface.


If you want to restrict telnet connection, you need to apply your ACL on the VTY lines which terminate Telnet session received from any interface. It avoids you to deploy this ACL on all your physical interfaces.


So the configuration should be like this (after ACL 110 is removed):


access-list 10 permit 172.17.1.0 0.0.0.255

!

line vty 0 4

access-class 10 in

!

Only standard ACL is supported which makes sence as we filter only the source IP.


HTH


Laurent.

adhityakarthik Thu, 05/14/2009 - 05:49
User Badges:

hi


Thanks for the update,


but the client requirement is to apply on management vlan and also


allow other serivices such snmp and tacaccs


please advice on the same


srinivasa

Laurent Aubert Thu, 05/14/2009 - 08:14
User Badges:
  • Cisco Employee,

You can use the same ACL used for Telnet restriction to filter SNMP source IP as well:


access-list 10 permit 172.17.1.0 0.0.0.255

!

snmp-server community ro|rw 10

!

line vty 0 4

access-class 10 in

!


Only hosts belonging to your management VLAN can have Telnet and SNMP access to your device


For Tacacs, I agree you need an ACL on the interface:


ip access-list extended MGMT

permit udp 172.17.1.0 0.0.0.255 any eq tacacs

permit tcp 172.17.1.0 0.0.0.255 any eq tacacs

deny udp any any eq tacacs

deny tcp any any eq tacacs

permit ip any any

!

int vlan 171

ip access-group MGMT in

!


Using named ACL will allows you to update it very easily.



HTH


Laurent.



Actions

This Discussion