RE: Denying telnet to port 23 on VTY

From: Rik Guyler (rik@guyler.net)
Date: Tue Nov 07 2006 - 15:16:47 ART

• Next message: Rik Guyler: "RE: Denying telnet to port 23 on VTY"
• Previous message: Scott Morris: "RE: The right approach to exam-taking"
• Maybe in reply to: secondie: "Denying telnet to port 23 on VTY"
• Next in thread: Rik Guyler: "RE: Denying telnet to port 23 on VTY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Don't fall into that trap in the real lab. If the requirements say ACL then
an ACL is all you're allowed/disallowed to use. Everything else is fair
game. If you over-analyze the requirements then you may disqualify a solid
possible solution.

Rik

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
dszarmach
Sent: Monday, November 06, 2006 11:57 PM
To: Rodrigo Paes; ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: Denying telnet to port 23 on VTY

I thought of that also, but I link NBAR and ACL as same thing because of
similar function....using NBAR is not *technically* an ACL so this would
probably meet the requirement, but I figured they were looking for another
way of stopping telnet without 'matching' telnet in a access list or
route-map.

Doug Szarmach
Sr. Network Engineer
Community Foundation of Northwest Indiana, Inc.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rodrigo Paes
Sent: Monday, November 06, 2006 10:34 PM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Denying telnet to port 23 on VTY

On Mon, 6 Nov 2006 20:05:42 -0800
"Kal Han" <calikali2006@gmail.com> wrote:

> I dont know how to do this.
> You can disable VTY telnet access by using "transport input ssh"
> You can use the rotary 3 so that the telnets are accepted on 3003
also.
> But I dont know if you can disable all vty lines for telnet and still
> be able to telnet on 3003. I am not sure if its possible.
>
> and if you DONT disable telnet input by using transport input telnet
>
> you can telnet to the box on standard 23 port and also on 3003.
> Both are accessible for me.
>

Could be this ...

!
!
class-map match-any KILL_TELNET
 match protocol telnet
!
!
policy-map POLICY_IN
 class KILL_TELNET
   drop
!
!
interface Tunnel1245
service-policy input POLICY_IN
!
!
line vty 0 4
rotary 3
!
!

Rack1R2#
Rack1R2#telnet 100.4.4.4
Trying 100.4.4.4 ...
% Connection timed out; remote host not responding

Rack1R2#telnet 100.4.4.4 3003
Trying 100.4.4.4, 3003 ... Open

User Access Verification

Password:
Rack1R4>

But it seems like a _huge_ overkill to me :\ ... I'm guessing there might be
some other simpler way

[]s
rodrigo

--
=========================================
\     .-.     +++ Rodrigo Paes +++       \
/     /v\    CCIE #14054 (R&S and SP)    /
\    // \\   LPIC2 #19753                \ 
/   /(   )\  Linux User #324449          /
\    ^^-^^                               \
/   jabber: panfleto@jabber.org          /
\   gtalk : rodp43s@gmail.com            \
 ==========================================

• Next message: Rik Guyler: "RE: Denying telnet to port 23 on VTY"
• Previous message: Scott Morris: "RE: The right approach to exam-taking"
• Maybe in reply to: secondie: "Denying telnet to port 23 on VTY"
• Next in thread: Rik Guyler: "RE: Denying telnet to port 23 on VTY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART