Hi thanks for the reply but I dont want to shut down telnet access to the entire device only a sub-interface.. ie Fastethernet 0/0.5 so that devices in the attached vlan cannot access the device. as that is thier which is thier default gateway and the only place they can currenlyt access the router from.

t

Hi,

what about

access-list 199 deny ip any host A.B.C.D

int fa 0/0.5

IP address A.B.C.D ......

access-group 199 in

To be absolutely sure you should add additional line

access-list 199 deny ip any host W.X.Y.Z.

for all other router subinterfaces

(otherwise the users would be able to telnet to other subinterface if they were smart.)

Regards,

Milan

WOW guys I have to disagree. Those access lists you gave him will restrict ALL traffic....he only wants to block Telnet. Try this instead:

access-list 101 deny tcp any any eq 23

access-list 101 permit ip any any

interface FA 0/0.5

ip access-group 101 in

Hi,

I think it's better to block ALL the traffic from user PCs to the switch.

If he really wants to block Telnet only, no problem to modify the access list.

BUT your access list would block Telnet to ANYWHERE not only to the switch.

Regards,

Milan

True..... which could be modified to

access-list 101 deny tcp host x.x.x.x any eq 23

where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.

Hi Guys this one looks good.. The reason for this is that one subinterface in questions is on a wireless subnet and I want to disallow any communication to these devices other than traffic. would somthing like transport input none work like you would use on a line command? I wish there was a command like no management int or something..

thnaks for the input it has helped greatly..

It should be

access-list 101 deny tcp ANY host x.x.x.x eq 23

where x.x.x.x is the ip of the interface, and you'd have to have one entry for each INT.

There should also be

access-list 101 permit ip any any

at the end.

But I still think it's better to filter out ALL the user traffic going to the router (i.e. not to put "eq 23" to the access list lines). This would prevent possible DoS attacks.

Regards,

Milan

Yes I agreee all should be blocked.. But will this only block traffic to the router not through it correct? then I can add the rest of my access list to the inbound interface to manage through put traffiic such as . wouldthis work..

permit icmp 10.16.152.16 0.0.0.15 host 10.16.118.5

permit tcp 10.16.152.16 0.0.0.15 host 10.16.118.5 eq telnet

permit ip host 10.64.152.10 10.16.30.0 0.0.1.255

permit ip host 10.64.152.10 host 10.16.101.17

deny ip any host 10.32.32.1

deny ip any any

thanks again

Yes, it should work this way.

Regards,

Milan