05-14-2009 01:23 AM - edited 03-04-2019 04:45 AM
hi all
I need to restict telnet access to switches, mean i should able to telnet LAN Switches from core switch mangement vlan.
I have apllied ACL, but after applying ACL, i am able to ping access switch but i am unable to telnet, config is pasted below can some one help plz
On Core switch
int vlan 171
description Mgmt vlan
ip address 172.17.1.2 255.255.255.0
--------------
On access siwth i have apllied this config
access-list 110 permit ip 172.17.1.0 0.0.0.255 any
access-list 110 deny ip any any log
And on vlan interface i have apllied this
int vla171
ip aceess group 110 in
after this iam able to pin access switch from the core but uanble to telnet
erros pasted below
Core1ping 172.17.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Core-DC-1#tel
Core-DC-1#telnet 172.17.1.10
Trying 172.17.1.10 ...
% Destination unreachable; gateway or host down
Please help me on the same
srinivas sagar
05-14-2009 05:41 AM
Hi,
ACL on an interface impact all the traffic received or sent over this interface.
If you want to restrict telnet connection, you need to apply your ACL on the VTY lines which terminate Telnet session received from any interface. It avoids you to deploy this ACL on all your physical interfaces.
So the configuration should be like this (after ACL 110 is removed):
access-list 10 permit 172.17.1.0 0.0.0.255
!
line vty 0 4
access-class 10 in
!
Only standard ACL is supported which makes sence as we filter only the source IP.
HTH
Laurent.
05-14-2009 05:49 AM
hi
Thanks for the update,
but the client requirement is to apply on management vlan and also
allow other serivices such snmp and tacaccs
please advice on the same
srinivasa
05-14-2009 08:14 AM
You can use the same ACL used for Telnet restriction to filter SNMP source IP as well:
access-list 10 permit 172.17.1.0 0.0.0.255
!
snmp-server community
!
line vty 0 4
access-class 10 in
!
Only hosts belonging to your management VLAN can have Telnet and SNMP access to your device
For Tacacs, I agree you need an ACL on the interface:
ip access-list extended MGMT
permit udp 172.17.1.0 0.0.0.255 any eq tacacs
permit tcp 172.17.1.0 0.0.0.255 any eq tacacs
deny udp any any eq tacacs
deny tcp any any eq tacacs
permit ip any any
!
int vlan 171
ip access-group MGMT in
!
Using named ACL will allows you to update it very easily.
HTH
Laurent.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: