Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Why is telnet still working when accessing this switch?

Hi,

I only want SSH to be allowed when accessing this switch, but telnet is still allowed, why?  Whe authenticate via radius.

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3750
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1K$
!
username admin privilege 15 secret 5 $1$Bs$cLH
username users view priv3 secret 5 $1$Jfnviwp
!
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive

no ip domain-lookup
ip domain-name CB
!
!
login on-failure log
login on-success log
!
!
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
!
!
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383137 34303333 3932301E 170D3132 30343133 31303539
  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38313734
  30333339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C31D AE6DD8B5 56245317 AD96F4F4 727385D4 97A5B138 488A215E 4294FC40
  1C5B2F26 2B75E1CF E562F240 118F2F50 0CFF2449 16EC66EA 2D489F5F F36BFD05
  ACCC79CA DDDA984D 4CB7AB DD95A5E0 9274A225 3F5A3634 DEBF1A2A 416E2189
  B35B4473 C7D5EE2C E3D41675 A86F31CD 61D8AA16 8BBA365A 81C1318E 726B0F15
  92D30203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14333735 302D3031 2D504A2D 416E6765 6C2E4C55 2E301F06
  03551D23 04183016 8014015A 63FBBF13 23CF273E CFC9D829 0037AE5D 642F301D
  0603551D 0E041604 14015A63 FBBF1323 CF273ECF C9D82900 37AE5D64 2F300D06
  092A8648 86F70D01 01040500 03818100 BE90084C 46FA28CD C5D92A33 0484C86B
  324286BD CC3782E8 04AB65D0 2CAA1 4D6A0357 48A0D2BB 158282B5 CF950107
  A8563837 A5B281CB 3BED543E FCF07403 28D25F35 05E0E6D8 D86D4ED7 E0337086
  9D885D49 8D85ED7A 609EED4E B1D365F7 43A1BE96 B8F5599E A14DA147 98266880
  7DFB3724 0105525C 411E3EF8 3742C372
  quit
!
!
!
archive
log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Vlan10
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
!
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
!
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 172.23.1.3
access-list 23 permit 10.10.1.65
access-list 23 permit 10.10.1.64
access-list 23 permit 10.10.1.35
access-list 23 permit 10.10.1.63
access-list 23 permit 10.10.1.62
access-list 23 permit 10.10.1.61
access-list 23 permit 10.10.1.60
access-list 23 permit 172.23.1.3
access-list 23 permit 172.23.1.4
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
snmp-server location Angel
snmp-server contact MCR
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 10.10.21.8 public
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 ******
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 ******
radius-server vsa send accounting
radius-server vsa send authentication
!
banner motd ^C    
         ################################################
         # Unauthorised access or use of this equipment #
         #   is prohibited and constitutes an offence   #
         #     under the Computer Misuse Act 1990.      #
         #    If you are not authorised to use this     #
         #     system, terminate this session now.      #
         ################################################
^C
!
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
line vty 15
parser view priv3
secret 5 $1$XSC
!
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12

         

Thanks

3 REPLIES

Re: Why is telnet still working when accessing this switch?

I believe all your vty lines should be set to

transport input ssh

Right now you have some of your vty lines (vty 5-15) still open to telnet.

Get some other opinions, I have not tested this.

http://www.networkengineerblog.com/2011/04/cisco-best-practice-turn-off-http.html gives an example.

New Member

Why is telnet still working when accessing this switch?

Think this worked, why does the telnet session choose to go to the other vty lines, can I remove/disbale them so I on have 0-4?

Re: Why is telnet still working when accessing this switch?

Hi,

Put the "no exec" command under the vty lines you don't want to use.

Sent from Cisco Technical Support iPhone App

289
Views
0
Helpful
3
Replies
CreatePlease to create content