Limiting your VTY access

admin · 28th October 2007, 06:02 PM

Limiting Your VTY Access

Submitted by tolanid on Thu, 10/25/2007 - 1:23pm.
Having configured a username and password prompts for our console and VTY connections, it’s time to implement other security functions on our router.
One of the important things we can do with a router is implement access lists for basic security. There are two types of access lists: numbered and named. And each of those is available in two flavors: standard and extended.
Numbered Access List: In the operating system, numbers 1-99 and 1300-1999 are reserved for standard access lists, and numbers 100-199 and 2000-2699 are reserved for extended access lists. The ICND2 and CCNA Boot Camp courses at Global Knowledge cover the ranges of numbers and everything that can be controlled with various access lists. In this article, we will just use a basic access list to protect our VTY ports. In simple terms, we will allow only certain IP addresses or certain network addresses to be able to telnet into our router.
Named Access List: A named access list allows us to refer to it by an alphanumeric name. That means instead of using a number, our access list could have a meaningful name, such as “control_telnet”, which makes its purpose very clear.
Standard Access List: With standard access lists, we can specify the source IP of the packet. So, we can check to see where the packet is coming from and, based on the packet’s source IP address, we can either allow or deny that traffic.
Extended Access List: With an extended access list, we can go into more granular details of what we wish to control. In addition to the source IP address, we can control the destination IP address, and we can check for source and destination port numbers and many other advanced parameters like TCP vs. UDP vs. ICMP, etc.
In our example, we will use a numbered standard access list. We will use access list number 1, though we could have picked any number in the standard access list range. This means that we can check the source IP address of the packet.
So, let’s say that we only want to allow one person to be able to telnet into our router. We can simply write the access list first, and then we can apply that to our VTY port (used for telnet purposes and covered in our previous articles). We’ll use wildcard mask to control specific bit patterns and only allow specific networks/subnetworks in almost any combination.
By the way, this procedure is covered in both the ICND2 class and the CCNA Boot Camp at Global Knowledge. There are also free white papers that cover some of these topics here.
Here we go with our example:
Backbone_NYC>enable
Backbone_NYC#config t
Backbone_NYC(config)#access-list 1 permit 131.107.2.14
In these lines, we’ve simply gone to global configuration mode, created an access list number 1, and permitted the packets sourced from 131.107.2.14. Now, how do we know that this is the source IP address and not the destination IP address? Because it’s a standard access list (1 is the first number in the standard access list range), and the only thing that the standard access list can do is check for the source address.
So far this access list is not doing anything, because we haven’t applied this condition anywhere. To better understand, let’s think of the access list as a security guard. We have hired the security guard, but we have not assigned the guard to any door. We can see this in our configuration (using “show startup-config” command), and it still has to be applied to whatever interface we wish to control. Since we want to control the VTY port, the command to access the VTY lines is given here:
Backbone_NYC(config)#line vty 0 4
Backbone_NYC(config-line)#access-class 1 in
Once we are in the line configuration mode, we can apply the access list 1 we created previously using the “access-class” command. “Access-class” applies this access list to the line configuration modes (VTY in this case).
Now, this will only allow the user with IP address 131.107.2.14 to be able to telnet into our device, and no other station will be allowed.
Wow! This simple example shows you the power of access lists. I hope to see you in one of the Global Knowledge courses to go into the details of access lists.
We have been playing with our routers in last few articles. It is time to see how the basics of switching work. Stay tuned!
For more information on these principles, Global knowledge offers some of the best Cisco courses available: Granted, I’m some what prejudiced in this account.

28th October 2007, 06:02 PM	#1 (permalink)
admin Administrator Join Date: Jul 2007 Location: New York Posts: 18	Limiting your VTY access Limiting Your VTY Access Submitted by tolanid on Thu, 10/25/2007 - 1:23pm. Having configured a username and password prompts for our console and VTY connections, it’s time to implement other security functions on our router. One of the important things we can do with a router is implement access lists for basic security. There are two types of access lists: numbered and named. And each of those is available in two flavors: standard and extended. Numbered Access List: In the operating system, numbers 1-99 and 1300-1999 are reserved for standard access lists, and numbers 100-199 and 2000-2699 are reserved for extended access lists. The ICND2 and CCNA Boot Camp courses at Global Knowledge cover the ranges of numbers and everything that can be controlled with various access lists. In this article, we will just use a basic access list to protect our VTY ports. In simple terms, we will allow only certain IP addresses or certain network addresses to be able to telnet into our router. Named Access List: A named access list allows us to refer to it by an alphanumeric name. That means instead of using a number, our access list could have a meaningful name, such as “control_telnet”, which makes its purpose very clear. Standard Access List: With standard access lists, we can specify the source IP of the packet. So, we can check to see where the packet is coming from and, based on the packet’s source IP address, we can either allow or deny that traffic. Extended Access List: With an extended access list, we can go into more granular details of what we wish to control. In addition to the source IP address, we can control the destination IP address, and we can check for source and destination port numbers and many other advanced parameters like TCP vs. UDP vs. ICMP, etc. In our example, we will use a numbered standard access list. We will use access list number 1, though we could have picked any number in the standard access list range. This means that we can check the source IP address of the packet. So, let’s say that we only want to allow one person to be able to telnet into our router. We can simply write the access list first, and then we can apply that to our VTY port (used for telnet purposes and covered in our previous articles). We’ll use wildcard mask to control specific bit patterns and only allow specific networks/subnetworks in almost any combination. By the way, this procedure is covered in both the ICND2 class and the CCNA Boot Camp at Global Knowledge. There are also free white papers that cover some of these topics here. Here we go with our example: Backbone_NYC>enable Backbone_NYC#config t Backbone_NYC(config)#access-list 1 permit 131.107.2.14 In these lines, we’ve simply gone to global configuration mode, created an access list number 1, and permitted the packets sourced from 131.107.2.14. Now, how do we know that this is the source IP address and not the destination IP address? Because it’s a standard access list (1 is the first number in the standard access list range), and the only thing that the standard access list can do is check for the source address. So far this access list is not doing anything, because we haven’t applied this condition anywhere. To better understand, let’s think of the access list as a security guard. We have hired the security guard, but we have not assigned the guard to any door. We can see this in our configuration (using “show startup-config” command), and it still has to be applied to whatever interface we wish to control. Since we want to control the VTY port, the command to access the VTY lines is given here: Backbone_NYC(config)#line vty 0 4 Backbone_NYC(config-line)#access-class 1 in Once we are in the line configuration mode, we can apply the access list 1 we created previously using the “access-class” command. “Access-class” applies this access list to the line configuration modes (VTY in this case). Now, this will only allow the user with IP address 131.107.2.14 to be able to telnet into our device, and no other station will be allowed. Wow! This simple example shows you the power of access lists. I hope to see you in one of the Global Knowledge courses to go into the details of access lists. We have been playing with our routers in last few articles. It is time to see how the basics of switching work. Stay tuned! For more information on these principles, Global knowledge offers some of the best Cisco courses available: Granted, I’m some what prejudiced in this account. __________________ -Admin www.Ciscomania.net

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode



Portal \| Forums \| Homepage \| Support \| Products \| Articles \| Rack Rentals \| Lab Scenarios