Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
0
Helpful
6
Replies

Telnet or ssh management

agata.czekalska
Level 1
Level 1

‎11-06-2009 12:28 AM - edited ‎03-06-2019 08:29 AM

Hi Everybody!!!

I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).

I'm wondreing why? I'm not talking about source address, but the destination one.

I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.

And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.

I'm wondering if it is desirable.

Could someone explain it to me.

Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address).

Best regards,

Agata Czekalska

Technical University of Lodz

Labels:
0 Helpful
6 Replies 6

Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎11-06-2009 01:30 AM

Hi,

You can configure an extended ACL to mention which destination address is allowed and assign the same under vty line as below,

access-list 101 permit tcp eq telnet

line vty 0

access-class 101 in

HTH,

Nagendra

0 Helpful

andrey.dugin
Level 1
Level 1
In response to Nagendra Kumar Nainar

‎11-06-2009 01:35 AM

You can use routing on other device as firewall, router or fwsm. In this case you will not have a lot of VLAN-interfaces with assigned IP-address, only management one.

0 Helpful

mike_guy29
Level 1
Level 1
In response to andrey.dugin

‎11-06-2009 04:14 AM

Hi,

I would not apply an extended ACL to the VTY lines. You will probably end up locking yourself out if you are not careful! They do not work (certainly on switches I have used). By the time the data gets to the L7 VTY lines (where the ACL is referenced) the destination is stripped out so the ACL can only match by source. Always use a standard ACL on your VTY lines. With regards to restricting to certain interfaces I am not sure how you would do this. ACLs applied to interfaces (or VLAN interfaces) only apply to routed traffic and not traffic with a destination of the device itself (as far as I know)

Regards

Mike

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mike_guy29

‎11-06-2009 08:43 AM

Agata

What you describe is normal behavior. And I believe that most of us would say that it is desirable.

If you think about it, telnet and SSH are remote access sessions to a device. When someone does telnet or SSH to your device I can understand wanting to control who can access your device (via authentication) and I can understand want to control where they come from (the source address controlled via access-class on the vty). But I do not understand being concerned about what address they use to get to the box.

Is there something in your environment that makes it different if they telnet to the address of VLAN 3 or to the address of VLAN 5?

HTH

Rick

HTH

Rick
0 Helpful

srue
Level 7
Level 7
In response to Richard Burts

‎11-09-2009 07:53 AM

you should be using a loopback anyway for management.

0 Helpful

hobbe
Level 7
Level 7

‎11-15-2009 06:03 AM

Hi

Hmm Technical University..

I am basing this on a couple of asumptions.

Assumption: this is one of the devices that services students/teachers/others

Assumption: students are intelligent and inquisitive.

Assumption: you are the only one/group that should have access to the device.

First your 6500 chassi is/are available on several different VLANS.

this I would stop at once IF there is no special reason for it to be configured that way.

My guess is that if it is not hacked, then it is not far from getting just that.

it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.

I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.

Atleast stop telnet and http since they send the login information in cleartext.

if the student have a sniffer they will have the loginnames and passwords quickly.

Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)

use personal usernames and passwords so that everyone have their own username and password to login to the equipment.

dont forget to set up NTP. that will help not only with time, it will also help with who was last on.

This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.

if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card