Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13101
Views
0
Helpful
3
Replies

Unable to Telent(Destination unreachable; gateway or host down )

adhityakarthik
Level 1
Level 1

‎05-14-2009 01:23 AM - edited ‎03-04-2019 04:45 AM

hi all

I need to restict telnet access to switches, mean i should able to telnet LAN Switches from core switch mangement vlan.

I have apllied ACL, but after applying ACL, i am able to ping access switch but i am unable to telnet, config is pasted below can some one help plz

On Core switch

int vlan 171

description Mgmt vlan

ip address 172.17.1.2 255.255.255.0

--------------

On access siwth i have apllied this config

access-list 110 permit ip 172.17.1.0 0.0.0.255 any

access-list 110 deny ip any any log

And on vlan interface i have apllied this

int vla171

ip aceess group 110 in

after this iam able to pin access switch from the core but uanble to telnet

erros pasted below

Core1ping 172.17.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-DC-1#tel

Core-DC-1#telnet 172.17.1.10

Trying 172.17.1.10 ...

% Destination unreachable; gateway or host down

Please help me on the same

srinivas sagar

Labels:
0 Helpful
3 Replies 3

Laurent Aubert
Cisco Employee
Cisco Employee

‎05-14-2009 05:41 AM

Hi,

ACL on an interface impact all the traffic received or sent over this interface.

If you want to restrict telnet connection, you need to apply your ACL on the VTY lines which terminate Telnet session received from any interface. It avoids you to deploy this ACL on all your physical interfaces.

So the configuration should be like this (after ACL 110 is removed):

access-list 10 permit 172.17.1.0 0.0.0.255

!

line vty 0 4

access-class 10 in

!

Only standard ACL is supported which makes sence as we filter only the source IP.

HTH

Laurent.

0 Helpful

adhityakarthik
Level 1
Level 1
In response to Laurent Aubert

‎05-14-2009 05:49 AM

hi

Thanks for the update,

but the client requirement is to apply on management vlan and also

allow other serivices such snmp and tacaccs

please advice on the same

srinivasa

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee
In response to adhityakarthik

‎05-14-2009 08:14 AM

You can use the same ACL used for Telnet restriction to filter SNMP source IP as well:

access-list 10 permit 172.17.1.0 0.0.0.255

!

snmp-server community ro|rw 10

!

line vty 0 4

access-class 10 in

!

Only hosts belonging to your management VLAN can have Telnet and SNMP access to your device

For Tacacs, I agree you need an ACL on the interface:

ip access-list extended MGMT

permit udp 172.17.1.0 0.0.0.255 any eq tacacs

permit tcp 172.17.1.0 0.0.0.255 any eq tacacs

deny udp any any eq tacacs

deny tcp any any eq tacacs

permit ip any any

!

int vlan 171

ip access-group MGMT in

!

Using named ACL will allows you to update it very easily.

HTH

Laurent.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card