Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
Access-lists
hshah12
Hi all,
Just a quick question for you guys.
How to deny telnet traffic to the router interfaces using access lists.
Sometimes this is done by doing this...
access list 101 deny tcp any host 192.x.x.x eq telnet
access list 101 deny tcp any host 172.x.x.x eq telnet
int s0
ip access-group in
int e0
ip access-group in
and other times its done this way..
access-list 50 deny any
line vty 0 4
access-class 50 in
Can someone tell me when to use the first method and when to use the second, under what circumstances etc?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
BubbaJ
I think you would decide this on the context of the question/problem. If the question or problem asks you to deny telnet traffic, then the interface method should be used because it is actually blocking the traffic. If you are asked to permit or deny certain addresses telnet access to your router, the VTY method may be best, but it is not actually blocking traffic.
When you telnet to a device, you are connecting to a VTY. For the telnet to be successful, the VTY needs some type of authentication set up. You can then apply an access list to the VTY to deny or allow specific addresses. This is a more elegant way to control telnet access to your router.
Denying telnet access through all other interfaces is sort of crude, more work, and less reliable since you will have to make sure to add it to any interfaces that get added to the router at a later time. In your example, if the router had, or added, a Loopback 0 interface of 10.1.1.1, you could still telnet to the router. Applying it to the interfaces may also be used to prevent the telnet from traversing the router to a different device.
As a side note, access lists do have an implicit deny all so your access-list 101 will not permit any traffic.
Danman32
Besides the deny all mistake which I also overlooked, here's another point.
The first example will deny telnet to anything, from those networks, not just the router. So, if you have an MS server configured for telnet on the 172 network, and you are trying to reach it from the 192 network, it isn't going to happen.
In your second example, my example would work, yet still block telnet access to the router's console (OK, using console here may be misleading).
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
