Restricting telnet access

[Piass]

Hi all,

I'm trying to restrict telnet access to a 6500 switch with multiple VLAN interfaces. However, I want to restrict it based on destination address, not source address. I've tried the obvious access list, e.g., access-list 101 permit ip any host x.x.x.x (I'm writing this from memory so not sure if the syntax is 100% correct) but then the switch just blocks all telnet attempts.

The reason I'm trying to do this is so that people can only telnet to the management VLAN address of the switch. The management VLAN sits on the inside of a Firewall Service Module, so I can then use the firewall to control access.

Has anyone come across this problem before and did you find a workaround?

Any help much appreciated,

Piass

 

[paulk29]

One quick way to disable telnet is via line vty 0 4
but it stops all protocols on these lines

the code:

line vty 0 4

transport input none ! i.e. none= no protocls.

Hope this helps

Paul

Paul Kilcoyne B eng. CCNA

 

[ADB100]

Piass

I think I get what you are trying to achieve but I think it will be practically impossible since the 6500 is effectively a router and by default you will be able to telnet to any IP address that is configured on it. That being said though anything on the 'Inside' should be handled (routed) by the 6500, anthing on the outside should be handled by the FWSM - so telnet traffic to the 6500 sourced from the outside will go through the FWSM and can be controlled here, telnet traffic sourced from the inside will not go through the FWSM and therefore can't be controlled by it. The only possible way I can see this working is if ALL your interfaces were on the outside and therefore handled (routed) by the FWSM. This would be a serious bottleneck though as the FWSM can only handle about 6Gbps (marketing figure, more likely about 2Gbps) worth of traffic.

I think your only option is to use source address filtering and apply an access-class to the VTY lines:

ip access-list standard Allowed-Telnet-Hosts
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
!
line vty 0 4
access-class Allowed-Telnet-Hosts in
!

Remember also to apply the ACL to SNMP if this is enabled as well.


Andy

 

[Piass]

Thanks for the advice guys.

Andy - I think you're probably right with your explanation, and yes, I wouldn't really want to run all traffic through the FWSM. The other option I just thought of would be to have an access list on every vlan interface except the management one denying telnet, but this would force all traffic to pass through the access list. I'm not even sure if this wouuld work , and if it did, what impact would it have on the switch.

 

[ADB100]

Piass

Yes you could apply an ACL to each VLAN interface denying access to each of the IP addresses configured on the 6500 from the networks you want to deny, then obviously a 'permit any' to allow other traffic to pass. This should work and as the ACL's are pushed down to the PFC ASIC's it shouldn't have a performance impact (assume Sup2/MSFC2 or Sup720?).

I built a big network for one of the Banks in London and we implemented a completely separate Managment Network (linked back to the core via separate Management Distribution Switches) and applied Access-Classes to the VTY lines & SNMP etc. We had to tweak the IP routing so that the paths to the Management IP Network were via these links into the Management Network. i.e. one interface on a switch was dedicated for management access and had routes through this interface for the various managment subnets. We accomplished this using route filtering etc but it worked well after a lot of design work. This is an expensive option but has advantages in a big Campus network.

Andy

 

[Piass]

Hi Andy,

Thanks for the help. I think I'll go with the ACL option. Customer has Sup720s so should be taken care of in hardware as you said.

Cheers,

Piass