stopping telnet (CCNA exam)

[Kekoa]

I had a question on the CCNA exam (640-801) that asked me to disable all telnet access using only 3 lines. I tried blocking access through the line vty 0 4 but when I entered

access-class 10 in

it said that it didn't support that version. So that obviously won't work. Does anyone have another way to do it with only 3 lines on the CLI?

 

[techkiwi]

How about:

router#config t
router(config)#line vty 0 4
router(config-line)#transport input none

Graham

 

[Kekoa]

Graham,

I tried that also, didn't support that version either. Any other suggestions?

 

[Andyleates]

The best way to disable telnet access is to remove the password.

Andy Leates MCSE CCNA MCP+I

 

[techkiwi]

What do you mean by "didn't support that version"? Is this an error message, I'm not familiar with it!

 

[Kekoa]

The test has a pop up window that says something like "command not support in this version"...

 

[dtabera]

I did the exam a month ago. I tried:

access-list 111 deny tcp any host <routerIP> eq 23
access-list 111 permit ip any any

and, in the WAN interface:

access-group 111 in

But this way you just cut telnet access in one interface.

Diego.

 

[techkiwi]

Seems a bit strange that the command isn't supported. Is there any possibility that the test was faulty?

 

[baddos]

Wouldn't this work (Not sure if it's the answer Cisco wants)....


configure terminal
line vty 0 4
no login

That's 3 lines.

 

[spudnuts]

From what I remember about the CCNA is that, that error means &quot;Wrong Answer&quot;. The command your entering isn't what they are looking for. I have Transcender that I used for the CCNA and it would give me the same thing so I was pretty much used to it. I remember that question CCNA though. I thought that I entered the commands that Graham has list above. Those commands whould disallow TELNET access.

SpudNuts(ITC), USN(Ret), CCNA, BSCI, BCRAN, CST

 

[g0atbailey]

conf t
line vty 0 4
no password

if there is no password set for telnet sessions, the router will not accept the connection.

 

[ChrisAC]

Setting 'no password' on the vty lines doesn't actually prevent telnet if local authentication is set up.

I always use standard acl's applied to the vty group to filter connections but I think that the answer that Cisco is looking for for the 640-801 exam is an access list applied to the external interface preventing external telnet connections. Of course, in the real world there are a number of options for preventing access.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[qz01gs]

So what is the correct answer?

 

[ChrisAC]

As Dtabera said, something like ..

access-list 111 deny tcp any host <routerIP> eq 23
access-list 111 permit ip any any

and, in the WAN interface:

access-group 111 in

I recertified last week and on my exam the blocking telnet question was a multi-choice one giving five possible access lists, four of which were incorrect.

In practice the best way is an acl applied to the vty lines but it seems that the sims in the exam do not support that.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jneiberger]

If you want to completely block telnet then use "transport input none" and/or use a different transport like "transport input ssh". That will completely disable telnet access to the router.

Removing the password from the VTY lines is almost as effective. You can still telnet to the router but it immediately tells you that a password is required but none is set, and it drops the connection.

If you still need to allow telnet but only for certain users, then use the access list on the VTY lines.

If you want to deny telnet traffic incoming from a certain interface, such as an outside interface facing someone you don't trust, then you could also apply an access list incoming on that interface.

 

[ChrisAC]

Removing the password from the VTY lines is almost as effective. You can still telnet to the router but it immediately tells you that a password is required but none is set, and it drops the connection.

Not if you have local authentication set up. All my routers have 'no password' on the vty lines and I can telnet to all of them.

I agree that the best way is an acl applied to the vty lines which is what we use to limit access to management IP's.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jneiberger]

You're correct. I meant to specify that this was only true if you didn't have local usernames configured since you had already mentioned it, but I forgot.