Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet Access

We want to turn off Telnet access to anywhere throughout the network. And we will like to achieve this via the Switches which is where all the devices connect to.

Is there a command that can be used on the Switches to not allow telnet through it at all, so that no one device can do a telnet to anywhere?

Thanks

10 REPLIES

Re: Telnet Access

An ACL on the L3 VLAN interface would stop it.

HTH and please rate

New Member

Re: Telnet Access

Thanks.

We have many so many VLANs. So how will I write this ACL.

access-list deny any any eq 23

Can I write this as a global command.

Will this stop any device such as my workstation being able to do a telnet to a UNIX server for example?

Thanks

Re: Telnet Access

Your ACL is good. You will have to apply the ACL to each VLAN interface and it will block everyone from telnetting to anything outside of the local network. Anything on the local network, they can still telnet too.

New Member

Re: Telnet Access

if you want to block telnet to your switch, do the following:

#line vty 0 4

it will block any telnet, and the only way to see the config of the switch would be via console port.

#transport input none

Also check if your switch has this line:

#line vty 5 15

if it does have it, do the same:

#transport input none

New Member

Re: Telnet Access

Thanks

This is for telnet to the switch. What I really want to know is telnet though the Switch.

Can a command be written in OS that will stop telnet through the switch?

Thanks

Re: Telnet Access

VACLs will do excatly what what you are trying to accomplish. The ACL is applied to traffic globally to VLANs and all traffic that matches the VACL is processed according to the VACL policies. In your case, you can deny telnet and allow all other traffic in VACLs.

Check out the link below for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html#wp1054144

HTH

Sundar

New Member

Re: Telnet Access

The base command for the permit list is: Set ip permit ip_address [mask] [all | snmp | telnet | ssh]. Determine what device or devices are permitted to access this device and permit them to do so. All others will be implicitly denied. There are three separate tables being configured with this command. The Telnet table is kept separate from the SNMP table. This allows you to configure a permit list that only permits authorized management stations to use SNMP and a different permit list for Telnet allowing different devices.

In order to turn this process on, use the command set ip permit enable [ssh | snmp | telnet]. You must specify which table is being activated. Just because the SNMP table is activated does not mean the Telnet table is turned on.

New Member

Re: Telnet Access

Yes, I know. Thanks. But this is stil telnet TO the switch. I dont want any of the workstation to be able to telnet to any other workstation connected to the switch.

Thanks

New Member

Re: Telnet Access

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any ANY telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

change the destination ip to any ---> ANY

New Member

Re: Telnet Access

I guess this is what your talking about. This is a global command. applied generally to a vlan, otherwise known as Vlan Access-List.

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip any host that.switch.ip.address eq telnet

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list "YOUR VLAN ID"

Hope it helps.

277
Views
0
Helpful
10
Replies
CreatePlease login to create content