From: CCIE3000 (ccie3000@googlemail.com)
Date: Wed Jun 11 2008 - 04:25:00 ART
Hi Yohanes,
I wanted to play with this a little bit as I haven't touched it for a while.
I've configured some stuff in the lab and hopefully it will help you
understand a bit further.
R1====R2 (loop 0 150.1.2.2) ===R3 (loop 0 150.1.3.3)
The below acl is configured inbound on R2 on the interface connecting to R1.
You are stopping telnets to 150.1.3.3 unless you pass authentication on R2.
access-list 100 dynamic 101 permit tcp any host 150.1.3.3 eq telnet
access-list 100 deny tcp any host 150.1.3.3 eq telnet
access-list 100 permit ip any any
=======================================================================
With the below if you telnet to R2 with username NOC and pass authenitcation
then when you do a show ip access-list you will see the dynamic entry which
will now allow you to telnet to R3 loop 0. If you just want to connect to R2
then you'll use the username USER
username NOC password 0 CISCO
username NOC autocommand access-enable host timeout 5
username USER password 0 CISCO
line vty 0 4
login local
=======================================================================
Now with the autocommand on the vty lines it doesn't matter whether you use
the NOC or USER usernames, the autocommand will take effect, this means that
if you pass authentication you will be able to Telnet to R3 loop 0 but you
won't be able to connect via telnet to R2.
username NOC password 0 CISCO
username USER password 0 CISCO
line vty 0 4
login local
autocommand access-enable host timeout 5
=======================================================================
With the below if you telnet to R2 then again whatever username you use,
once again the autocommand will take effect, yep, you can telnet to R3 loop
0 but you won't be able to connect to R2 without a dynamic acl being entered
and you being kicked off R2.
BUT, if you telnet to 3023 then you will be able to user either username and
telnet onto R2 and stay there.
username NOC password 0 CISCO
username USER password 0 CISCO
line vty 0 3
login local
autocommand access-enable host timeout 5
line vty 4
login local
rotary 23
Now, getting back to what vty lines to configure it on, I still say double
check with proctor.
And the two for one offer we are running this week.
With the acl if you use a numbered acl then you'll be able to run the
following command and clear the dynamic acl without having to wait for it to
timeout.
clear ip access-template
Must be numbered acl's though.
Hope the above helps, anyone else, if you spot something with the above
which isn't right then do please let me know.
Cheers,
On 6/11/08, mgreenlee@ipexpert.com <mgreenlee@ipexpert.com> wrote:
>
> By default, VTY Lines connect in order, so vty line 0 would be used first.
> Also, being prompted for a username instead of just a password, should be a
> pretty good indicator.
>
> Alternatively, you could use something like service linenumber, to see what
> line you are connecting on.
>
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: mgreenlee@ipexpert.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> seyfert .
> Sent: Tuesday, June 10, 2008 10:18 PM
> To: bdennis@internetworkexpert.com
> Cc: Cisco certification; SAM Meng Wai
> Subject: Re: Lab do and dont's..VTY access
>
> If we configure for
>
> line vty 0 4
> login local
> line 5 14
> pass CISCO
> login
> and we only have local database about
> username RDP pass CISCO
>
> How do we know that if someone telnet to the router, he will use login
> authentication or local authentication?
>
>
> Thanks
>
> Yohanes BW
>
> On Wed, Jun 11, 2008 at 6:48 AM, Brian Dennis <
> bdennis@internetworkexpert.com> wrote:
>
> > As a side note the switches in the lab will have 16 VTY lines and not 5.
> >
> > Rack1SW1(config)#do sho run | in vty
> > line vty 0 4
> > line vty 5 15
> > Rack1SW1(config)#
> >
> > Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Direct: +1-775-544-1653 (Outside the US and Canada)
> >
> > >----- Original Message -----
> > Subject: Lab do and dont's..VTY access
> > Date: Tue, June 10, 2008 10:14
> > From: "seyfert ." <seyfert22@googlemail.com>
> >
> > > I was review my workbook, and have this question
> > >
> > > user in Vlan 7 must authenticate to SW1 with username RDP and pass
> CISCO
> > > before he can access server x.x.x.x
> > >
> > > I know the answer...but I get confuse,where to put it..
> > > whether I put in VTY 0 ...or vty 0 4.
> > >
> > > My question is
> > > if I change the vty access to
> > > login local
> > >
> > > Does I need to change to all vty ?? or just vty 0.
> > >
> > > Anyone would help with this verification.
> > >
> > >
> > > Thanks
> > >
> > > Yohanes BW
> > >
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART