Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
You’ll probably have a difficult time trying to stop users from telnetting to a large router
because any active interface on a router is fair game for VTY access. You could try to create
an extended IP access list that limits Telnet access to every IP address on the router. But if you
did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well
to a large router with dozens, even hundreds, of interfaces, would it? Here’s a much better
solution: Use a standard IP access list to control access to the VTY lines themselves.
Why does this work? Because when you apply an access list to the VTY lines, you don’t
need to specify the Telnet protocol since access to the VTY implies terminal access. You also
don’t need to specify a destination address, since it really doesn’t matter which interface
address the user used as a target for the Telnet session. You really only need to control where
the user is coming from—their source IP address.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to
telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:
Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from
telnetting into the router except the host 172.16.10.3, regardless of which individual IP
address on the router is used as a target.
7.3 Configure and apply ACLs to limit telnet and SSH access to the router
336 Chapter 7 Implement, verify, and troubleshoot NAT and ACLs
Cisco recommends that you use Secure Shell (SSH) instead of Telnet on the
VTY lines of a router.
Secure Shell (SSH)
Instead of Telnet, you can use Secure Shell (SSH), which creates a more secure session than the
Telnet application that uses an unencrypted data stream. SSH uses encrypted keys to send data
so that your username and password are not sent in the clear.
Here are the steps to setting up SSH:
1. Set your hostname:
Router(config)#hostname Todd
2. Set the domain name (both the hostname and domain name are required for the encryption
keys to be generated):
Todd(config)#ip domain-name Lammle.com
3. Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa general-keys modulus ?
<360-2048> size of the key modulus [360-2048]
Todd(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: Todd.Lammle.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled
4. Set the max idle timer for a SSH session:
Todd(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
Todd(config)#ip ssh time-out 60
5. Set the max failed attempts for an SSH connection:
Todd(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
Todd(config)#ip ssh authentication-retries 2
6. Connect to the VTY lines of the router:
Todd(config)#line vty 0 1180
7. Last, configure SSH and then Telnet as access protocols:
Todd(config-line)#transport input ssh telnet
7. 4 Verify and monitor ACLs in a network environment 337
If you do not use the keyword telnet at the end of the command string, then only SSH will
work on the router. I am not suggesting you use either way, but just understand that SSH is
more secure than Telnet.
Exam Objectives
Remember the command on a VTY line that enables you to use SSH on a Cisco router.
The command to set SSH on a VTY line is transport input ssh telnet, although, the command
telnet at the end of the line is optional.
No comments:
Post a Comment