Tuesday, April 14, 2009

Restricting telnet access

A lab requirement stated 'Allow telnet access to R6 on port 3005 and ensure standard telnet access on port 23 is not allowed'??

To fulfill this requirement requires use of the 'rotary' command on the vty ports.

line vty 0 4
rotary 5

The above enables telnet access on port 3005.

To fulfill the second requirement to restrict access on port 23 can be done via an ACL and access-class command...

ip access-list ext 101
deny tcp any any eq telnet
permit ip any any

line vty 0 4
access-list 101 in

To add an extra twist, a further requirement is added to ensure users entering via vty are prompted for local username and password. No login credentials are required for console access. This can be achieved with the following....

aaa new-model
aaa authentication login default none
aaa authentication login VTY local

line vty 0 4
login authentication VTY

No comments: