Access Lists and Telnet

PlazmaPlazma Member Posts: 503
in CCNA & CCENT
Just a quick question

I know if you wanted to block telnet connections you can either:

1. Create an acl and place it on the vty lines
2. create an extended ACL blocking port 23 or the word 'telnet' and place it on the in/out port of your choosing.

My question really is.. since they both appear to do the same thing.. in which scenario would it be best to use either and WHY? or I should say.. what does Cisco say about it per say of which one is 'best'
CCIE - COMPLETED!
· Share on FacebookShare on Twitter

Comments

  • dbfielddbfield Member Posts: 7 ■□□□□□□□□□
    It depends if you wanted to block telnet all together. You could just not assign a password to the vty lines. Otherwise I would just add the access list specifying the ip addresses you wanted to have access.
    · Share on FacebookShare on Twitter
  • mlan2399mlan2399 Member Posts: 3 ■□□□□□□□□□
    I believe extended access lists are more processor intensive because they have to look deeper into (layer 4) all packets instead of just layer 3 that you'd have to inspect using standard lists.
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    mlan2399 is on the right track with the part about CPU usage, by applying an extended ACL to the interface every packet will be tested against it and this can be processor intensive. Also if you have a router with 4 or 5 interfaces it would a bit of administrative overhead to build the acl (with 4 or 5 deny statements, one for each interface) and then apply it 4 or 5 times. Adding an acl to the vty lines would be the best option if you are trying to block telnet to the router (or ssh for that matter)
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • PlazmaPlazma Member Posts: 503
    i never thought about the cpu intensive stuff.. awesome!

    thanks guys
    CCIE - COMPLETED!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.