Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ) Previous Document: How does one interpret buffer statistics? Next Document: What can I do about source routing? See reader questions & answers on this topic! - Help others by sharing your knowledge Many admins are concerned about unauthorized access to their routers from malicious people on the Internet; one way to prevent this is to restrict access to your router on the basis of IP address. Many people do this, however it should be noted that a significant number of network service providers allow unrestricted access to their routers to allow others to debug, examine routes, etc. If you're comfortable doing this, so much the better, and we thank you! If you wish to restrict access to your router, select a free IP access list (numbered from 1-100) -- enter ``sh access-list'' to see those numbers in use. yourrouter#sh access-list Standard IP access list 5 permit 192.94.207.0, wildcard bits 0.0.0.255 Next, enter the IP addresses you wish to allow access to your router from; remember that access lists contain an implicit "deny everything" at the end, so there is no need to include that. In this case, 30 is free: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255 yourrouter(config)#^Z (This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple lines for multiple addresses; be sure that you don't restrict the address you may be telnetting to the router from. Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply the access list to. In this example, I want lines 2 through 12: yourrouter#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns 0 CTY - - - - - 0 0 0/0 1 AUX 9600/9600 - - - - - 1 3287605 1/0 * 2 VTY 9600/9600 - - - - 7 55 0 0/0 3 VTY 9600/9600 - - - - 7 4 0 0/0 4 VTY 9600/9600 - - - - 7 0 0 0/0 5 VTY 9600/9600 - - - - 7 0 0 0/0 6 VTY 9600/9600 - - - - 7 0 0 0/0 7 VTY 9600/9600 - - - - 7 0 0 0/0 8 VTY 9600/9600 - - - - 7 0 0 0/0 9 VTY 9600/9600 - - - - 7 0 0 0/0 10 VTY 9600/9600 - - - - 7 0 0 0/0 11 VTY 9600/9600 - - - - - 0 0 0/0 12 VTY 9600/9600 - - - - - 0 0 0/0 Apply the access list to the relevant lines: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#line 2 12 yourrouter(config-line)# access-class 30 in yourrouter(config-line)# ^Z (This apply access list 30 to lines 2 through 12. It's important to restrict access to the aux port (line 1) if you have a device (such as a CSU/DSU) plugged into it.a) Be sure to save your configuration with ``write mem''. Please note that access lists for incoming telnet connections do NOT cause your router to perform significant CPU work, unlike access lists on interfaces. User Contributions:Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ) Previous Document: How does one interpret buffer statistics? Next Document: What can I do about source routing? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: cisco-faq@panix.com (comp.dcom.sys.cisco FAQ responses)
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: