completely disable telenet access to a mullti layer switch

We have a 6500 switch running CatOS at L2 and IOS at L3. The L3 part is easy with use of access list's, but the L2 part seems to be a stopgap. I was under the impression:

"set ip permit enable telnet" command without supplying a permit list would disable telnet access entirely, but our clients pen testers seem to believe differently.

Does anyone have any ideas how I can remove telenet access entirely from this 6500 switch?

Cheers,

Pash

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

jason_lunde

I am not a big CatOS guru, but I believe the command to disable it is:

set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet

try that out, and let me know...

rwwest7

Couldn't you also add:

conf t
line vty 0 X
no password
login

Then if somebody is able to get through the access list, they would get the "password required but none set" error.

LBC90805

rwwest7 wrote: »

Couldn't you also add:

conf t
line vty 0 X
no password
login

Then if somebody is able to get through the access list, they would get the "password required but none set" error.

Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.

I was thinking something along the lines of "No Transport Input SOMETHING".

networker050184

LBC90805 wrote: »

Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.

You're thinking of no login.

amp2030

LBC90805 wrote: »

I was thinking something along the lines of "No Transport Input SOMETHING".

"Transport Input SSH" should do the trick...

tiersten

jason_lunde wrote: »

I am not a big CatOS guru, but I believe the command to disable it is:

set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet

try that out, and let me know...

This should do it.

tiersten

LBC90805 wrote: »

Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.

I was thinking something along the lines of "No Transport Input SOMETHING".

It is running CatOS and not IOS...

Pash

Thanks for response guys:

set ip permit X.X.X.X Y.Y.Y.Y telnet
set ip permit disable telnet

We will try thaat jason thanks.

Its actually a multi layer switch, so L2 catOS L3 IOS

rwwest7

LBC90805 wrote: »

Those commands would just allow someone to log into the VTY without a password. Correct me if I'm wrong, someone, but that wouldn't turn off TELNET altogether.

I was thinking something along the lines of "No Transport Input SOMETHING".

No, those commands would basically disable Telnet. If you require a login but have no password set, then Cisco is smart enough to not allow telnet until a password is set.

LBC90805

networker050184 wrote: »

You're thinking of no login.

I knew I was missing something. It's been awhile since I goofed around with the "line" commands.