in

IEOC - Internetwork Expert's Online Community

Welcome to Internetwork Expert's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and Internetwork Expert's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Scott Morris - Quad CCIE #4713, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, Anthony Sequeira - CCIE #15626, Keith Barker - Dual CCIE #6783, and Marvin Greenlee - Triple CCIE #12237.
Forums » CCIE Forums » CCIE Routing & Switching Technical » Telnet in - How to restrict?
Latest post 06-29-2009 1:41 PM by johnthom1865. 7 replies.
Page 1 of 1 (8 items)
Sort Posts: Previous Next

  • 06-29-2009 7:00 AM

    • Kami
    • Top 10 Contributor
    • Joined on 09-17-2008
    • Australia
    • Elite
    • Points 7,475

    Telnet in - How to restrict?

    Reply Contact

    Hi folks,

    From a technical standpoint, what's the difference between restricting telnet into a device using an access-class (under its vty lines) and deploying an access-group (to its interfaces)?

    Thanks

    K.

     
    • Post Points: 20

  • 06-29-2009 7:13 AM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    Kami,

    ACL applied to VTY line, will only filter telnet traffic destined to that particular router.  ACL applied on interface can filter telnet packets transiting that router. In other words, if you apply to VTY line, you dont have to worry about allowing protocol specific traffic like you would if you apply to incoming interface.

     

    hope this makes sense.

    Dmitriy

    Dmitriy Litvinko, CCIE #25150 (R&S)
    • Post Points: 20

  • 06-29-2009 7:18 AM In reply to

    • Kami
    • Top 10 Contributor
    • Joined on 09-17-2008
    • Australia
    • Elite
    • Points 7,475

    Re: Telnet in - How to restrict?

    Reply Contact

    Sorry mate for my brief question...didnt explain some points, I meant an ACL with proper source and destination like an ACL with the destination address of all my local IP addresses...obviously this one does not hit by any transiting telnet traffic.

     

    Thanks,

    K.

     
    • Post Points: 20

  • 06-29-2009 7:33 AM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    From technical stand point there should be no difference .... if you have both applied, interface ACL will be hit first.

    D.

    Dmitriy Litvinko, CCIE #25150 (R&S)
    • Post Points: 20

  • 06-29-2009 8:11 AM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    True regarding inbound traffic but what about outbound? 

    What if you want block outbound telnet traffic?  Line vty 0 4, access-class 1 out will take care of that.

    The only other non-technical issue is that with "Line vty 0 4, access-class 1" you get to use a standard ACL.  I like to save a few brain cycles.
    • Post Points: 20

  • 06-29-2009 8:57 AM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    Hmm ... not sure about outbound traffic (while testing it wasnt blocking anything) and ACL in physical interface will not block localy originated traffic (only transit or policy-routed).

    Dmitriy Litvinko, CCIE #25150 (R&S)
    • Post Points: 20

  • 06-29-2009 9:15 AM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    Applying an access-class outbound on the VTY lines will affect outbound telnet traffic generated from an active VTY session.

    An ACL applied outbound on an interface will affect transit traffic.  But with some additional configuration, I think you can have the locally-generated telnet traffic appear as transit and then processed by the ACL.

    HTH,
    Jeff
    • Post Points: 20

  • 06-29-2009 1:41 PM In reply to

    Re: Telnet in - How to restrict?

    Reply Contact

    Jeff, thanks for the clarification.  access-class out turns your router in the "hotel california"  you can telnet in but you can NOT leave.

    Now in the stupid router tricks category...You could kill locally generated telnet with local PBR.

    R1

    ip local policy route-map TELNET

    ip access-list extended TELNET
     permit tcp any any eq telnet

    route-map TELNET permit
    match ip address TELNET
    set ip next-hop 20.20.1.1               <---- Loop0


    access-list 100 deny tcp any any eq tel
    access-list 100 permit

    interface s0/0/1
    ip address 20.20.13.1 255.255.255.0
    ip access-group 100 out


    R1#p 20.20.13.3

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 20.20.13.3, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/48 ms
    R1#telnet  20.20.13.3
    Trying 20.20.13.3 ...
    % Destination unreachable; gateway or host down

    R1#ct            
    Enter configuration commands, one per line.  End with CNTL/Z.
    R1(config)#no ip local policy route-map TELNET
    R1(config)#exit
    R1#telnet  20.20.13.3
    Trying 20.20.13.3 ... Open


    Password required, but none set

    Jun 29 21:33:58.734: %SYS-5-CONFIG_I: Configured from console by console
    [Connection to 20.20.13.3 closed by foreign host]
    • Post Points: 5
Page 1 of 1 (8 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2009 Internetwork Expert, Inc. All Rights Reserved