Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Section - How should I restrict access to my router?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Restaurant inspections ]


Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Previous Document: How does one interpret buffer statistics?
Next Document: What can I do about source routing?
See reader questions & answers on this topic! - Help others by sharing your knowledge
Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.

Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.

        yourrouter#sh access-list
        Standard IP access list 5
            permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:

        yourrouter#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
        yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:

        yourrouter#sh line
         Tty Typ    Tx/Rx    A Modem  Roty AccO AccI  Uses    Noise   Overruns
           0 CTY             -    -      -    -    -     0        0        0/0
           1 AUX  9600/9600  -    -      -    -    -     1  3287605        1/0
        *  2 VTY  9600/9600  -    -      -    -    7    55        0        0/0
           3 VTY  9600/9600  -    -      -    -    7     4        0        0/0
           4 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           5 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           6 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           7 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           8 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           9 VTY  9600/9600  -    -      -    -    7     0        0        0/0
          10 VTY  9600/9600  -    -      -    -    7     0        0        0/0
          11 VTY  9600/9600  -    -      -    -    -     0        0        0/0
          12 VTY  9600/9600  -    -      -    -    -     0        0        0/0


Apply the access list to the relevant lines:

        yourrouter#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        yourrouter(config)#line 2 12
        yourrouter(config-line)# access-class 30 in
        yourrouter(config-line)# ^Z

(This apply access list 30 to lines 2 through 12. It's important to
restrict access to the aux port (line 1) if you have a device (such
as a CSU/DSU) plugged into it.a) 

Be sure to save your configuration with ``write mem''.

Please note that access lists for incoming telnet connections do NOT
cause your router to perform significant CPU work, unlike access lists
on interfaces.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
Previous Document: How does one interpret buffer statistics?
Next Document: What can I do about source routing?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
cisco-faq@panix.com (comp.dcom.sys.cisco FAQ responses)





Last Update March 27 2014 @ 02:11 PM