completely disable telenet access to a mullti layer switch
Pash
Member Posts: 1,600 ■■■■■□□□□□
in CCNA & CCENT
We have a 6500 switch running CatOS at L2 and IOS at L3. The L3 part is easy with use of access list's, but the L2 part seems to be a stopgap. I was under the impression:
"set ip permit enable telnet" command without supplying a permit list would disable telnet access entirely, but our clients pen testers seem to believe differently.
Does anyone have any ideas how I can remove telenet access entirely from this 6500 switch?
Cheers,
Pash
"set ip permit enable telnet" command without supplying a permit list would disable telnet access entirely, but our clients pen testers seem to believe differently.
Does anyone have any ideas how I can remove telenet access entirely from this 6500 switch?
Cheers,
Pash
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
jason_lunde
Member Posts: 567
I am not a big CatOS guru, but I believe the command to disable it is:
set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet
try that out, and let me know... -
rwwest7
Member Posts: 300
Couldn't you also add:
conf t
line vty 0 X
no password
login
Then if somebody is able to get through the access list, they would get the "password required but none set" error. -
LBC90805
Member Posts: 247
Couldn't you also add:
conf t
line vty 0 X
no password
login
Then if somebody is able to get through the access list, they would get the "password required but none set" error.
Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.
I was thinking something along the lines of "No Transport Input SOMETHING". -
networker050184
Mod Posts: 11,962 Mod
Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.
You're thinking of no login.An expert is a man who has made all the mistakes which can be made. -
amp2030
Member Posts: 253
I was thinking something along the lines of "No Transport Input SOMETHING".
"Transport Input SSH" should do the trick... -
tiersten
Member Posts: 4,505
This should do it.jason_lunde wrote: »I am not a big CatOS guru, but I believe the command to disable it is:
set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet
try that out, and let me know... -
tiersten
Member Posts: 4,505
It is running CatOS and not IOS...Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.
I was thinking something along the lines of "No Transport Input SOMETHING". -
Pash
Member Posts: 1,600 ■■■■■□□□□□
Thanks for response guys:
set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet
We will try thaat jason thanks.
Its actually a multi layer switch, so L2 catOS L3 IOSDevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
rwwest7
Member Posts: 300
No, those commands would basically disable Telnet. If you require a login but have no password set, then Cisco is smart enough to not allow telnet until a password is set.Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.
I was thinking something along the lines of "No Transport Input SOMETHING". -
LBC90805
Member Posts: 247
networker050184 wrote: »You're thinking of no login.
I knew I was missing something. It's been awhile since I goofed around with the "line" commands.
