Telnet or ssh management

Unanswered Question
Nov 6th, 2009

Hi Everybody!!!

I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).

I'm wondreing why? I'm not talking about source address, but the destination one.

I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.

And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.

I'm wondering if it is desirable.

Could someone explain it to me.

Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address).

Best regards,

Agata Czekalska

Technical University of Lodz

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagendra Kumar ... Fri, 11/06/2009 - 01:30


You can configure an extended ACL to mention which destination address is allowed and assign the same under vty line as below,

access-list 101 permit tcp eq telnet

line vty 0

access-class 101 in



andrey.dugin Fri, 11/06/2009 - 01:35

You can use routing on other device as firewall, router or fwsm. In this case you will not have a lot of VLAN-interfaces with assigned IP-address, only management one.

mike_guy29 Fri, 11/06/2009 - 04:14


I would not apply an extended ACL to the VTY lines. You will probably end up locking yourself out if you are not careful! They do not work (certainly on switches I have used). By the time the data gets to the L7 VTY lines (where the ACL is referenced) the destination is stripped out so the ACL can only match by source. Always use a standard ACL on your VTY lines. With regards to restricting to certain interfaces I am not sure how you would do this. ACLs applied to interfaces (or VLAN interfaces) only apply to routed traffic and not traffic with a destination of the device itself (as far as I know)



Richard Burts Fri, 11/06/2009 - 08:43


What you describe is normal behavior. And I believe that most of us would say that it is desirable.

If you think about it, telnet and SSH are remote access sessions to a device. When someone does telnet or SSH to your device I can understand wanting to control who can access your device (via authentication) and I can understand want to control where they come from (the source address controlled via access-class on the vty). But I do not understand being concerned about what address they use to get to the box.

Is there something in your environment that makes it different if they telnet to the address of VLAN 3 or to the address of VLAN 5?



srue Mon, 11/09/2009 - 07:53

you should be using a loopback anyway for management.

hobbe Sun, 11/15/2009 - 06:03


Hmm Technical University..

I am basing this on a couple of asumptions.

Assumption: this is one of the devices that services students/teachers/others

Assumption: students are intelligent and inquisitive.

Assumption: you are the only one/group that should have access to the device.

First your 6500 chassi is/are available on several different VLANS.

this I would stop at once IF there is no special reason for it to be configured that way.

My guess is that if it is not hacked, then it is not far from getting just that.

it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.

I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.

Atleast stop telnet and http since they send the login information in cleartext.

if the student have a sniffer they will have the loginnames and passwords quickly.

Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)

use personal usernames and passwords so that everyone have their own username and password to login to the equipment.

dont forget to set up NTP. that will help not only with time, it will also help with who was last on.

This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.

if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.



This Discussion