Controlling Access to a Virtual Terminal Line



Similar documents
Configuring a Load-Balancing Scheme

Firewall Stateful Inspection of ICMP

Firewall Authentication Proxy for FTP and Telnet Sessions

BGP Link Bandwidth. Finding Feature Information. Contents

HTTP 1.1 Web Server and Client

Firewall Support for SIP

Virtual Fragmentation Reassembly

Configuring a Load-Balancing Scheme

Encrypted Preshared Key

Router Security Audit Logs

Image Verification. Finding Feature Information. Restrictions for Image Verification

Transferring Files Using HTTP or HTTPS

DHCP Server Port-Based Address Allocation

Flow-Based per Port-Channel Load Balancing

Firewall Stateful Inspection of ICMP

QoS: CBQoS Management Policy-to- Interface Mapping Support Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

RADIUS Server Load Balancing

Configuring Enhanced Object Tracking

This feature was introduced. This feature was integrated in Cisco IOS Release 12.2(11)T.

Simple Network Management Protocol

QoS: Color-Aware Policer

How To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Configuring a Load-Balancing Scheme

Implementing Object Tracking on Cisco IOS XR Software

BGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth

Enhanced Password Security - Phase I

Constraining IP Multicast in a Switched Ethernet Network

Memory Leak Detector. Finding Feature Information. Last Updated: June 15, 2011

Easy Performance Monitor

Configuring VoIP Call Setup Monitoring

Cisco Video Surveillance Operations Manager Mobile App User Guide

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

USB Disable for Cisco ISRs Feature Module

Release Notes for Version 2 of the RAID Diagnostic Tool for Cisco Security, Web Security, and Content Security Management Appliances

L2TP Dial-Out Load Balancing and Redundancy

Configuring Secure Socket Layer HTTP

Enhanced Password Security - Phase I

Configuring SIP Support for SRTP

End of Sale/End of Life Report Tool Usage Notes for CiscoWorks NCM 1.6

Multiprotocol Label Switching Load Balancing

Digitally Signed Cisco Software

VRRPv3: Object Tracking Integration

Configuring Aggressive Load Balancing

Encrypted Preshared Key

Symbian User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.4

Firewall Technologies. Access Lists Firewalls

NetFlow Subinterface Support

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

IPSLA Y1731 On-Demand and Concurrent Operations

Network Data Encryption Commands

NetFlow v9 Export Format

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

GLBP - Gateway Load Balancing Protocol

Cisco IOS Flexible NetFlow Command Reference

Triple DES Encryption for IPSec

Per-Packet Load Balancing

Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

Configuring DNS. Finding Feature Information

Ethernet Overhead Accounting

QUICK START GUIDE. Cisco C170 Security Appliance

Cisco Configuration Professional Quick Start Guide

Lab 8: Confi guring QoS

IP Routing: ISIS Configuration Guide, Cisco IOS Release 12.4T

Lab Configure Cisco IOS Firewall CBAC

MPLS VPN Route Target Rewrite

Table of Contents. Configuring IP Access Lists

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

BGP Multipath Load Sharing for Both ebgp and ibgp in an MPLS-VPN

Basic Software Configuration Using the Cisco IOS Command-Line Interface

NAT TCP SIP ALG Support

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Cisco Unified Communications Self Care Portal User Guide, Release 10.5(1)

Lab Advanced Telnet Operations

Configuring IKEv2 Load Balancer

Lab Creating a Logical Network Diagram

LAB II: Securing The Data Path and Routing Infrastructure

Cisco UCS Director Payment Gateway Integration Guide, Release 4.1

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

IPv4 Supplement Tutorial - Job Aids and Subnetting

Installing and Configuring External Flash Memory Cards in Cisco 3600 Series Routers

Enabling and Monitoring NetFlow on Subinterfaces

Release Notes for Cisco IronPort Security Plug-in 7.3.1

8 steps to protect your Cisco router

- Basic Router Security -

Lab Developing ACLs to Implement Firewall Rule Sets

Cisco Nexus 1000V Virtual Ethernet Module Software Installation Guide, Release 4.0(4)SV1(1)

3.1 Connecting to a Router and Basic Configuration

Configuring Aggressive Load Balancing

Implementing Secure Shell

Configuring the Cisco Secure PIX Firewall with a Single Intern

Call Flows for Simple IP Users

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Connecting to the Firewall Services Module and Managing the Configuration

Lab Load Balancing Across Multiple Paths

Configuring Auto-MDIX

Cisco Jabber for Windows 10.5 Advanced Features Guide

Release Notes for Cisco C881G-U-K9

Lab 2 - Basic Router Configuration

Transcription:

Controlling Access to a Virtual Terminal Line First Published: August 18, 2006 Last Updated: August 18, 2006 You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys. Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information for Controlling Access to a Virtual Terminal Line section on page 9. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Contents Restrictions for Controlling Access to a Virtual Terminal Line, page 2 Information About Controlling Access to a Virtual Terminal Line, page 2 How to Control Access to a Virtual Terminal Line, page 2 Configuration Examples for Controlling Access to a Virtual Terminal Line, page 6 Where to Go Next, page 7 Additional References, page 7 Feature Information for Controlling Access to a Virtual Terminal Line, page 9 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Restrictions for Controlling Access to a Virtual Terminal Line Controlling Access to a Virtual Terminal Line Restrictions for Controlling Access to a Virtual Terminal Line When you apply an access list to a vty (by using the access-class command), the access list must be a numbered access list, not a named access list. Information About Controlling Access to a Virtual Terminal Line Benefits of Controlling Access to a Virtual Terminal Line, page 2 Benefits of Controlling Access to a Virtual Terminal Line By applying an access list to an inbound vty, you can control who can access the lines to a router. By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach. How to Control Access to a Virtual Terminal Line Controlling Inbound Access to a vty, page 2 Controlling Outbound Access to a vty, page 4 Controlling Inbound Access to a vty SUMMARY STEPS Perform this task when you want to control access to a vty coming into the router by using an access list. Access lists are very flexible; this task illustrates one access-list deny command and one access-list permit command. You will decide how many of each command you should use and their order to achieve the restrictions you want. 1. enable 2. configure terminal 3. access-list access-list-number deny {source [source-wildcard] any} [log] 4. access-list access-list-number permit {source [source-wildcard] any} [log] 5. line vty line-number [ending-line-number] 6. access-class access-list-number in [vrf-also] 7. exit 8. Repeat Steps 5 and 6 for each line to set identical restrictions on all the virtual terminal lines because a user can connect to any of them. 9. end 10. show line [line-number summary] 2

Controlling Access to a Virtual Terminal Line How to Control Access to a Virtual Terminal Line DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Router# configure terminal access-list access-list-number deny {source [source-wildcard] any} [log] Router(config)# access-list 1 deny 172.16.7.34 access-list access-list-number permit {source [source-wildcard] any}[log] Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255 line vty line-number [ending-line-number] Router(config)# line vty 5 10 (Optional) Denies the specified source based on a source address and wildcard mask. If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is assumed, meaning match on all bits of the source address. Optionally use the keyword any as a substitute for the source source-wildcard to specify the source and source wildcard of 0.0.0.0 255.255.255.255. In this example, host 172.16.7.34 is denied passing the access list. Permits the specified source based on a source address and wildcard mask. If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is assumed, meaning match on all bits of the source address. Optionally use the keyword any as a substitute for the source source-wildcard to specify the source and source wildcard of 0.0.0.0 255.255.255.255. In this example, hosts on network 172.16.0.0 (other than the host denied in the prior step) pass the access list, meaning they can access the vtys identified in the line command. Identifies a specific line for configuration and enters line configuration mode. Entering the line command with the optional line type vty designates the line number as a relative line number. You also can use the line command without specifying a line type. In this case, the line number is treated as an absolute line number. 3

How to Control Access to a Virtual Terminal Line Controlling Access to a Virtual Terminal Line Step 6 Step 7 Command or Action access-class access-list-number in [vrf-also] Router(config-line)# access-class 1 in vrf-also exit Purpose Restricts incoming connections between a particular vty (into a Cisco device) and the networking devices associated with addresses in the access list. If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VPN routing and forwarding (VRF) instance are rejected. Returns the user to the next highest configuration mode. Step 8 Step 9 Router(config-line)# exit Repeat Steps 5 and 6 for each line to set identical restrictions on all the vtys because a user can connect to any of them. end If you indicated the full range of vty lines in Step 5 with the line command, you do not need to repeat Steps 5 and 6. Returns the user to privileged EXEC mode. Step 10 Router(config-line)# end show line [line-number summary] Displays parameters of a terminal line. Router# show line 5 Controlling Outbound Access to a vty SUMMARY STEPS Perform this task when you want to control access from a vty to a destination. Access lists are very flexible; this task illustrates one access-list deny command and one access-list permit command. You will decide how many of each command you should use and their order to achieve the restrictions you want. When a standard access list is applied to a line with the access-class out command, the address specified in the access list is not a source address (as it is in an access list applied to an interface), but a destination address. 1. enable 2. configure terminal 3. access-list access-list-number deny {destination [destination-wildcard] any}[log] 4. access-list access-list-number permit {destination [destination-wildcard] any}[log] 5. line vty line-number [ending-line-number] 6. access-class access-list-number out 7. exit 8. Repeat Steps 5 and 6 for each line to set identical restrictions on all the virtual terminal lines because a user can connect to any of them. 4

Controlling Access to a Virtual Terminal Line How to Control Access to a Virtual Terminal Line 9. end 10. show line [line-number summary] DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Step 5 Router# configure terminal access-list access-list-number deny {destination [destination-wildcard] any} [log] Router(config)# access-list 2 deny 172.16.7.34 access-list access-list-number permit {source [source-wildcard] any} [log] Router(config)# access-list 2 permit 172.16.0.0 0.0.255.255 line vty line-number [ending-line-number] Router(config)# line vty 5 10 Denies line access to the specified destination based on a destination address and wildcard mask. If the destination-wildcard is omitted, a wildcard mask of 0.0.0.0 is assumed, meaning match on all bits of the source address. Optionally use the keyword any as a substitute for the destination destination-wildcard to specify the source and source wildcard of 0.0.0.0 255.255.255.255. In this example, host 172.16.7.34 is denied passing the access list, meaning the line cannot connect to it. Permits the specified source based on a source address and wildcard mask. If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is assumed, meaning match on all bits of the source address. Optionally use the keyword any as a substitute for the source source-wildcard to specify the source and source wildcard of 0.0.0.0 255.255.255.255. In this example, hosts on network 172.16.0.0 (other than the host denied in the prior step) pass the access list, meaning they can be connected to by the vtys identified in the line command. Identifies a specific line for configuration and enter line configuration mode. Entering the line command with the optional line type vty designates the line number as a relative line number. You also can use the line command without specifying a line type. In this case, the line number is treated as an absolute line number. 5

Configuration Examples for Controlling Access to a Virtual Terminal Line Controlling Access to a Virtual Terminal Line Step 6 Step 7 Command or Action access-class access-list-number out Router(config-line)# access-class 2 out exit Purpose Restricts connections between a particular vty (into a Cisco device) out to the networking devices associated with addresses in the access list. Returns the user to the next highest configuration mode. Step 8 Step 9 Router(config-line)# exit Repeat Steps 5 and 6 for each line to set identical restrictions on all the vtys because a user can connect to any of them. end If you indicated the full range of vtys in Step 5 with the line command, you do not need to repeat Steps 5 and 6. Returns the user to privileged EXEC mode. Step 10 Router(config-line)# end show line [line-number summary] Displays parameters of a terminal line. Router# show line 5 Configuration Examples for Controlling Access to a Virtual Terminal Line Controlling Inbound Access on vtys, page 6 Controlling Outbound Access on vtys, page 6 Controlling Inbound Access on vtys The following example defines an access list that permits only hosts on network 172.19.5.0 to connect to the virtual terminal lines 1 through 5 on the router. Because the vty keyword is omitted from the line command, the line numbers 1 through 5 are absolute line numbers. access-list 12 permit 172.19.5.0 0.0.0.255 line 1 5 access-class 12 in Controlling Outbound Access on vtys The following example defines an access list that denies connections to networks other than network 171.20.0.0 on terminal lines 1 through 5. Because the vty keyword is omitted from the line command, the line numbers 1 through 5 are absolute line numbers. access-list 10 permit 172.20.0.0 0.0.255.255 line 1 5 access-class 10 out 6

Controlling Access to a Virtual Terminal Line Where to Go Next Where to Go Next You can further secure a vty by configuring a password with the password line configuration command. See the password (line configuration) command in the Cisco IOS Security Command Reference. Additional References Related Documents Related Topic Cisco IOS commands Configuring a password on a line Document Title Cisco IOS Master Commands List, All Releases Cisco IOS Security Command Reference Standards Standard Title None MIBs MIB None MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs RFC Title None 7

Additional References Controlling Access to a Virtual Terminal Line Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/index.html 8

Controlling Access to a Virtual Terminal Line Feature Information for Controlling Access to a Virtual Terminal Line Feature Information for Controlling Access to a Virtual Terminal Line Table 1 lists the features in this module and provides links to specific configuration information. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Table 1 Feature Information for Controlling Access to a Virtual Terminal Line Feature Name Releases Feature Configuration Information Controlling Access to a Virtual Terminal Line 12.0(32)S4 You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. 2006 Cisco Systems, Inc. All rights reserved. 9

Feature Information for Controlling Access to a Virtual Terminal Line Controlling Access to a Virtual Terminal Line 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information