Access-lists
hshah12
Member Posts: 13 ■□□□□□□□□□
in CCNA & CCENT
Hi all,
Just a quick question for you guys.
How to deny telnet traffic to the router interfaces using access lists.
Sometimes this is done by doing this...
access list 101 deny tcp any host 192.x.x.x eq telnet
access list 101 deny tcp any host 172.x.x.x eq telnet
int s0
ip access-group in
int e0
ip access-group in
and other times its done this way..
access-list 50 deny any
line vty 0 4
access-class 50 in
Can someone tell me when to use the first method and when to use the second, under what circumstances etc?
Just a quick question for you guys.
How to deny telnet traffic to the router interfaces using access lists.
Sometimes this is done by doing this...
access list 101 deny tcp any host 192.x.x.x eq telnet
access list 101 deny tcp any host 172.x.x.x eq telnet
int s0
ip access-group in
int e0
ip access-group in
and other times its done this way..
access-list 50 deny any
line vty 0 4
access-class 50 in
Can someone tell me when to use the first method and when to use the second, under what circumstances etc?
Comments
-
BubbaJ
Member Posts: 323
I think you would decide this on the context of the question/problem. If the question or problem asks you to deny telnet traffic, then the interface method should be used because it is actually blocking the traffic. If you are asked to permit or deny certain addresses telnet access to your router, the VTY method may be best, but it is not actually blocking traffic.
When you telnet to a device, you are connecting to a VTY. For the telnet to be successful, the VTY needs some type of authentication set up. You can then apply an access list to the VTY to deny or allow specific addresses. This is a more elegant way to control telnet access to your router.
Denying telnet access through all other interfaces is sort of crude, more work, and less reliable since you will have to make sure to add it to any interfaces that get added to the router at a later time. In your example, if the router had, or added, a Loopback 0 interface of 10.1.1.1, you could still telnet to the router. Applying it to the interfaces may also be used to prevent the telnet from traversing the router to a different device.
As a side note, access lists do have an implicit deny all so your access-list 101 will not permit any traffic. -
Danman32
Member Posts: 1,243
Besides the deny all mistake which I also overlooked, here's another point.
The first example will deny telnet to anything, from those networks, not just the router. So, if you have an MS server configured for telnet on the 172 network, and you are trying to reach it from the 192 network, it isn't going to happen.
In your second example, my example would work, yet still block telnet access to the router's console (OK, using console here may be misleading).