Answers: Protecting CLI Access 1

certskills
By certskills May 16, 2016 09:10

 

How do you protect the CLI by preventing Telnet and SSH access, without matching every last interface IP address on a router? Today’s lab gives you a chance to explore and practice that configuration. Check the lab requirements in the first post, as usual, and then come back here.

 

Answers

Figure 1: Management Access

Example 1: R1 Config

 

Example 2: R2 Config

 

Example 3: R3 Config

 

Example 4: R4 Config

 

Commentary

There are two different primary methods of preventing management (SSH and/or telnet) to devices. One uses an extended ACL to block packets entering the router, specifically packets using specific TCP ports (22 and 23, respectively). The other method also uses an ACL to match those same packets, but the configuration applies the ACL directly to the management virtual ports (VTY) using the access-class command. In fact, the ACL need not match port numbers, because the vty ports by their nature support Telnet and or SSH, rather than forwarding any and all IP packets. As a result, applying the ACL logic to the management virtual ports with the access-class command works well when the goal is to protect access to the device itself, rather than for packets destined to other devices.

For this lab you were tasked with blocking management access to all of the routers to all other devices except for hosts in the Manager’s subnet (as shown in the topology as ‘M’). The Manager device sits in subnet 172.16.1.0/24, a subnet that can be matched easily with a standard ACL. The requirements indicated to use the first available number ACL which for a standard ACL is 1; using these requirements the command to configure this would be access-list 1 permit 172.16.1.0 0.0.0.255.

The requirements also specified to not use the ip access-group command, this forces you to use the access-class method of configuration. To apply ACL 1, use the access-class 1 in command inside VTY configuration mode. Each of these commands needs to be configured on all of the routers.

Protecting CLI Access 1
Cisco Revs CCNA R&S Cert (V3.0); Leans Forward
certskills
By certskills May 16, 2016 09:10
Write a comment

2 Comments

  1. CAMO December 5, 01:52

    I can see from the router config screenshots that standard access-list 1 permits the 172.16.1.0/24 network to telnet/ssh into vty lines on the routers.

    My question is, why is the 172.16.1.100 0.0.0.255 address used in the commentary? Shouldn’t that address match the router config screenshot?

    Regards

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories