Re: Lab do and dont's..VTY access

From: seyfert . (seyfert22@googlemail.com)
Date: Wed Jun 11 2008 - 04:53:09 ART

• Next message: Ravi Krishna: "BGP RIB Failure"
• Previous message: seyfert .: "Re: Lab do and dont's..VTY access"
• Maybe in reply to: seyfert .: "Lab do and dont's..VTY access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Jun 11, 2008 at 2:52 PM, seyfert . <seyfert22@googlemail.com> wrote:

> Thanks all,
>
> I found this too,
> If the question asked to disconnect the session if idle for 3 minutes.
> we use
> line vty 0 15
> login local
> autocommand access-enable timeout 3
>
>
>
> IF the question " ensure every 30 minutes, user must re authenticate"
> access-list 100 dynamic 101 timeout 30 permit tcp any host 150.1.3.3 eq
> telnet
> access-list 100 deny tcp any host 150.1.3.3 eq telnet
> access-list 100 permit ip any any
>
>
> Correct me, if I'm wrong....
>
>
>
> Thanks
>
> Yohanes BW
>
>
>
> =======================================================================
>
> On Wed, Jun 11, 2008 at 2:25 PM, CCIE3000 <ccie3000@googlemail.com>
> wrote:
>
>> Hi Yohanes,
>>
>> I wanted to play with this a little bit as I haven't touched it for a
>> while. I've configured some stuff in the lab and hopefully it will help you
>> understand a bit further.
>>
>> R1====R2 (loop 0 150.1.2.2) ===R3 (loop 0 150.1.3.3)
>>
>> The below acl is configured inbound on R2 on the interface connecting to
>> R1.
>>
>> You are stopping telnets to 150.1.3.3 unless you pass authentication on
>> R2.
>>
>> access-list 100 dynamic 101 permit tcp any host 150.1.3.3 eq telnet
>> access-list 100 deny tcp any host 150.1.3.3 eq telnet
>> access-list 100 permit ip any any
>>
>> =======================================================================
>>
>> With the below if you telnet to R2 with username NOC and pass
>> authenitcation then when you do a show ip access-list you will see the
>> dynamic entry which will now allow you to telnet to R3 loop 0. If you just
>> want to connect to R2 then you'll use the username USER
>>
>> username NOC password 0 CISCO
>> username NOC autocommand access-enable host timeout 5
>> username USER password 0 CISCO
>>
>> line vty 0 4
>> login local
>> =======================================================================
>> Now with the autocommand on the vty lines it doesn't matter whether you
>> use the NOC or USER usernames, the autocommand will take effect, this means
>> that if you pass authentication you will be able to Telnet to R3 loop 0 but
>> you won't be able to connect via telnet to R2.
>>
>> username NOC password 0 CISCO
>> username USER password 0 CISCO
>>
>> line vty 0 4
>> login local
>> autocommand access-enable host timeout 5
>> =======================================================================
>> With the below if you telnet to R2 then again whatever username you use,
>> once again the autocommand will take effect, yep, you can telnet to R3 loop
>> 0 but you won't be able to connect to R2 without a dynamic acl being entered
>> and you being kicked off R2.
>>
>> BUT, if you telnet to 3023 then you will be able to user either username
>> and telnet onto R2 and stay there.
>>
>> username NOC password 0 CISCO
>> username USER password 0 CISCO
>>
>> line vty 0 3
>> login local
>> autocommand access-enable host timeout 5
>> line vty 4
>> login local
>> rotary 23
>>
>> Now, getting back to what vty lines to configure it on, I still say
>> double check with proctor.
>>
>> And the two for one offer we are running this week.
>>
>> With the acl if you use a numbered acl then you'll be able to run the
>> following command and clear the dynamic acl without having to wait for it to
>> timeout.
>>
>> clear ip access-template
>> Must be numbered acl's though.
>>
>> Hope the above helps, anyone else, if you spot something with the above
>> which isn't right then do please let me know.
>> Cheers,
>>
>>
>>
>> On 6/11/08, mgreenlee@ipexpert.com <mgreenlee@ipexpert.com> wrote:
>>>
>>> By default, VTY Lines connect in order, so vty line 0 would be used
>>> first.
>>> Also, being prompted for a username instead of just a password, should be
>>> a
>>> pretty good indicator.
>>>
>>> Alternatively, you could use something like service linenumber, to see
>>> what
>>> line you are connecting on.
>>>
>>>
>>> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
>>> Senior Technical Instructor - IPexpert, Inc.
>>> Telephone: +1.810.326.1444
>>> Fax: +1.810.454.0130
>>> Mailto: mgreenlee@ipexpert.com
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> seyfert .
>>> Sent: Tuesday, June 10, 2008 10:18 PM
>>> To: bdennis@internetworkexpert.com
>>> Cc: Cisco certification; SAM Meng Wai
>>> Subject: Re: Lab do and dont's..VTY access
>>>
>>> If we configure for
>>>
>>> line vty 0 4
>>> login local
>>> line 5 14
>>> pass CISCO
>>> login
>>> and we only have local database about
>>> username RDP pass CISCO
>>>
>>> How do we know that if someone telnet to the router, he will use login
>>> authentication or local authentication?
>>>
>>>
>>> Thanks
>>>
>>> Yohanes BW
>>>
>>> On Wed, Jun 11, 2008 at 6:48 AM, Brian Dennis <
>>> bdennis@internetworkexpert.com> wrote:
>>>
>>> > As a side note the switches in the lab will have 16 VTY lines and not
>>> 5.
>>> >
>>> > Rack1SW1(config)#do sho run | in vty
>>> > line vty 0 4
>>> > line vty 5 15
>>> > Rack1SW1(config)#
>>> >
>>> > Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice)
>>> > bdennis@internetworkexpert.com
>>> >
>>> > Internetwork Expert, Inc.
>>> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/><
>>> http://www.internetworkexpert.com/>
>>> > Toll Free: 877-224-8987
>>> > Direct: +1-775-544-1653 (Outside the US and Canada)
>>> >
>>> > >----- Original Message -----
>>> > Subject: Lab do and dont's..VTY access
>>> > Date: Tue, June 10, 2008 10:14
>>> > From: "seyfert ." <seyfert22@googlemail.com>
>>> >
>>> > > I was review my workbook, and have this question
>>> > >
>>> > > user in Vlan 7 must authenticate to SW1 with username RDP and pass
>>> CISCO
>>> > > before he can access server x.x.x.x
>>> > >
>>> > > I know the answer...but I get confuse,where to put it..
>>> > > whether I put in VTY 0 ...or vty 0 4.
>>> > >
>>> > > My question is
>>> > > if I change the vty access to
>>> > > login local
>>> > >
>>> > > Does I need to change to all vty ?? or just vty 0.
>>> > >
>>> > > Anyone would help with this verification.
>>> > >
>>> > >
>>> > > Thanks
>>> > >
>>> > > Yohanes BW
>>> > >
>>> > >
>>> > >
>>> _______________________________________________________________________
>>> > > Subscription information may be found at:
>>> > > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ravi Krishna: "BGP RIB Failure"
• Previous message: seyfert .: "Re: Lab do and dont's..VTY access"
• Maybe in reply to: seyfert .: "Lab do and dont's..VTY access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART