Protecting CLI Access 2

By certskills August 29, 2016 09:05

This latest lab is relatively straightforward while being very useful. Many enterprises make a habit of adding an ACL to filter inbound Telnet and SSH attempts into a router or switch. Today’s lab gives you a chance to work through the process with a simple example.


Configure logging on the devices shown in the figure. The specific rules for this lab are:

  • Configure and apply an ACL (1) on R1 to block terminal line access coming from the network
  • Configure and apply an ACL (1) on R2 to block terminal line access coming from the network
  • Assumptions:
    • All router interfaces shown in the lab are up, working and correctly configured with IP addresses
    • IPv4 routing is configured correctly
    • Telnet access has been configured and is functional before you begin the lab


Figure 1: Topology and Addresses for this Lab


Initial Configuration

Examples 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config


Example 2: R2 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with CML/VIRL or real gear, you can verify by attempting to telnet from the or networks to their appropriately blocked device. Of course, you can put a device or VM into those subnets to test. However, you can also test from the opposite router by making the IOS telnet command use a different source interface for its packets. You can do this directly from the IOS interface using the telnet host /source-interface interface command. For instance, on router R2, the command telnet /source-interface g0/2 would Telnet to router R1 from R2’s G0/2 interface IP address of, which would test R1’s ACL logic.


Do this Lab with Cisco’s CML (Formerly VIRL)

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.

Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.

This lab’s CML file!

This lab’s VIRL file!

All interfaces in topology match the lab figure.

Host device info:

This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address User/password
PC1 cisco/cisco
PC2 cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: SNMPv3 1
Local Span 1
By certskills August 29, 2016 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.