Re: Lab do and dont's..VTY access

From: seyfert . (seyfert22@googlemail.com)
Date: Wed Jun 11 2008 - 04:52:35 ART

• Next message: seyfert .: "Re: Lab do and dont's..VTY access"
• Previous message: ccie: "preserve the comments in the running"
• Maybe in reply to: seyfert .: "Lab do and dont's..VTY access"
• Next in thread: seyfert .: "Re: Lab do and dont's..VTY access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks all,

I found this too,
If the question asked to disconnect the session if idle for 3 minutes.
we use
line vty 0 15
  login local
  autocommand access-enable timeout 3

IF the question " ensure every 30 minutes, user must re authenticate"
access-list 100 dynamic 101 timeout 3 permit tcp any host 150.1.3.3 eq
telnet
access-list 100 deny tcp any host 150.1.3.3 eq telnet
access-list 100 permit ip any any

Correct me, if I'm wrong....

Thanks

Yohanes BW

=======================================================================

On Wed, Jun 11, 2008 at 2:25 PM, CCIE3000 <ccie3000@googlemail.com> wrote:

> Hi Yohanes,
>
> I wanted to play with this a little bit as I haven't touched it for a
> while. I've configured some stuff in the lab and hopefully it will help you
> understand a bit further.
>
> R1====R2 (loop 0 150.1.2.2) ===R3 (loop 0 150.1.3.3)
>
> The below acl is configured inbound on R2 on the interface connecting to
> R1.
>
> You are stopping telnets to 150.1.3.3 unless you pass authentication on
> R2.
>
> access-list 100 dynamic 101 permit tcp any host 150.1.3.3 eq telnet
> access-list 100 deny tcp any host 150.1.3.3 eq telnet
> access-list 100 permit ip any any
>
> =======================================================================
>
> With the below if you telnet to R2 with username NOC and pass
> authenitcation then when you do a show ip access-list you will see the
> dynamic entry which will now allow you to telnet to R3 loop 0. If you just
> want to connect to R2 then you'll use the username USER
>
> username NOC password 0 CISCO
> username NOC autocommand access-enable host timeout 5
> username USER password 0 CISCO
>
> line vty 0 4
> login local
> =======================================================================
> Now with the autocommand on the vty lines it doesn't matter whether you use
> the NOC or USER usernames, the autocommand will take effect, this means that
> if you pass authentication you will be able to Telnet to R3 loop 0 but you
> won't be able to connect via telnet to R2.
>
> username NOC password 0 CISCO
> username USER password 0 CISCO
>
> line vty 0 4
> login local
> autocommand access-enable host timeout 5
> =======================================================================
> With the below if you telnet to R2 then again whatever username you use,
> once again the autocommand will take effect, yep, you can telnet to R3 loop
> 0 but you won't be able to connect to R2 without a dynamic acl being entered
> and you being kicked off R2.
>
> BUT, if you telnet to 3023 then you will be able to user either username
> and telnet onto R2 and stay there.
>
> username NOC password 0 CISCO
> username USER password 0 CISCO
>
> line vty 0 3
> login local
> autocommand access-enable host timeout 5
> line vty 4
> login local
> rotary 23
>
> Now, getting back to what vty lines to configure it on, I still say double
> check with proctor.
>
> And the two for one offer we are running this week.
>
> With the acl if you use a numbered acl then you'll be able to run the
> following command and clear the dynamic acl without having to wait for it to
> timeout.
>
> clear ip access-template
> Must be numbered acl's though.
>
> Hope the above helps, anyone else, if you spot something with the above
> which isn't right then do please let me know.
> Cheers,
>
>
>
> On 6/11/08, mgreenlee@ipexpert.com <mgreenlee@ipexpert.com> wrote:
>>
>> By default, VTY Lines connect in order, so vty line 0 would be used first.
>> Also, being prompted for a username instead of just a password, should be
>> a
>> pretty good indicator.
>>
>> Alternatively, you could use something like service linenumber, to see
>> what
>> line you are connecting on.
>>
>>
>> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
>> Senior Technical Instructor - IPexpert, Inc.
>> Telephone: +1.810.326.1444
>> Fax: +1.810.454.0130
>> Mailto: mgreenlee@ipexpert.com
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> seyfert .
>> Sent: Tuesday, June 10, 2008 10:18 PM
>> To: bdennis@internetworkexpert.com
>> Cc: Cisco certification; SAM Meng Wai
>> Subject: Re: Lab do and dont's..VTY access
>>
>> If we configure for
>>
>> line vty 0 4
>> login local
>> line 5 14
>> pass CISCO
>> login
>> and we only have local database about
>> username RDP pass CISCO
>>
>> How do we know that if someone telnet to the router, he will use login
>> authentication or local authentication?
>>
>>
>> Thanks
>>
>> Yohanes BW
>>
>> On Wed, Jun 11, 2008 at 6:48 AM, Brian Dennis <
>> bdennis@internetworkexpert.com> wrote:
>>
>> > As a side note the switches in the lab will have 16 VTY lines and not 5.
>> >
>> > Rack1SW1(config)#do sho run | in vty
>> > line vty 0 4
>> > line vty 5 15
>> > Rack1SW1(config)#
>> >
>> > Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice)
>> > bdennis@internetworkexpert.com
>> >
>> > Internetwork Expert, Inc.
>> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/><
>> http://www.internetworkexpert.com/>
>> > Toll Free: 877-224-8987
>> > Direct: +1-775-544-1653 (Outside the US and Canada)
>> >
>> > >----- Original Message -----
>> > Subject: Lab do and dont's..VTY access
>> > Date: Tue, June 10, 2008 10:14
>> > From: "seyfert ." <seyfert22@googlemail.com>
>> >
>> > > I was review my workbook, and have this question
>> > >
>> > > user in Vlan 7 must authenticate to SW1 with username RDP and pass
>> CISCO
>> > > before he can access server x.x.x.x
>> > >
>> > > I know the answer...but I get confuse,where to put it..
>> > > whether I put in VTY 0 ...or vty 0 4.
>> > >
>> > > My question is
>> > > if I change the vty access to
>> > > login local
>> > >
>> > > Does I need to change to all vty ?? or just vty 0.
>> > >
>> > > Anyone would help with this verification.
>> > >
>> > >
>> > > Thanks
>> > >
>> > > Yohanes BW
>> > >
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: seyfert .: "Re: Lab do and dont's..VTY access"
• Previous message: ccie: "preserve the comments in the running"
• Maybe in reply to: seyfert .: "Lab do and dont's..VTY access"
• Next in thread: seyfert .: "Re: Lab do and dont's..VTY access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART