Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL doubt

Hi. I have a little doubt about ACLs:

If I apply an ACL (denying all in/out telnet connections) to the interface VLAN 5 with IP address 192.168.1.254 is it still possible to telnet to IP 192.168.1.254? To the other IP addresses on this network I know it's not possible.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL doubt

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

10 REPLIES

Re: ACL doubt

No, assuming that your ACL is blocking the entire /24 subnet.

Hope that helps.

Re: ACL doubt

Well telnet won't be possible to that IP, but the device could be reachable via other IPs. IF I understand your question correctly.

Regards

Farrukh

New Member

Re: ACL doubt

yes, that's the point.

Our network has more than 200 VLANs on a Catalyst 6500. I think it is not a good policy to apply an ACL denying telnet and other protocols to each VLAN interface (IP address), because of cpu performance. Is that correct? I want a mix of security and performance.

Should I change management access type to ssh and not telnet?

Where, on 6500, can I define what adresses/networks can manage it and also defining through which protocols?

Security tips are welcome. :)

thanks for the help.

Re: ACL doubt

Instead of securing each interface, secure the management plane. Here's an example of using an ACL. Let's say you only want two IP's to be able to telnet to the 6500, 192.168.1.15 and .20. First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. Here is a good book on securing routers and switches.

http://www.amazon.com/Hardening-Cisco-Routers-OReilly-Networking/dp/0596001665/ref=sr_1_6?ie=UTF8&s=books&qid=1219850517&sr=8-6

Hope that helps.

Re: ACL doubt

Yes I would agree, instead of filtering telnet on each vlan, just secure the control plane via a VTY access-list.

No don't go for telnet, its totally clear-text and lame :) SSH is the way to go.

Regards

Farrukh

New Member

Re: ACL doubt

thanks a lot guys!

New Member

Re: ACL doubt

hi again.

collin, you said

"First we create the ACL.

access-list 15 remark ALLOW TELNET

access-list 15 permit 192.168.1.15

access-list 15 permit 192.168.1.20

Next we apply it to the VTY's.

line vty 0 15

access-class 15 in

That's it! Now only those two IP's are allowed to telnet into the 6500's. "

if I implement SSH can it be used a scheme like this one or SSH with its encryption just doesn't need this type of control? is there a link explaining ssh config on 6500?

tx.

Re: ACL doubt

Here is a link:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_SSH_(Secure_Shell)_on_Catalyst_switches

Just make sure your switch supports crypto.

No the ACL and SSH both are required for a secure configuration.

Regards

Farrukh

Re: ACL doubt

You can control the protocols used for management under the VTY's. To only allow SSH, you would do the following.

line vty 0 15

transport input ssh

Let's say for some reason you both telnet and SSH, you would do the following.

line vty 0 15

transport input telnet ssh

Here's a link on configuring SSH (router or switch will work).

http://www.packetpros.com/wiki/index.php/Cisco

New Member

Re: ACL doubt

thanks for the help.

now i know what has to be done.

139
Views
3
Helpful
10
Replies