Wireless Access

Occasional Contributor II

Disable Telnet or Apply ACL?

I only want to allow SSHv2 access to my controllers.  What's a better practice disabling telnet or applying an ACL to deny port 23 access?  

Frequent Contributor II

Re: Disable Telnet or Apply ACL?

I think the result is the same, however, if you disable telnet in the CLI then it will be applied globally while using ACL's you can specify which VLAN or Port you want to control.

Re: Disable Telnet or Apply ACL?

If you're sure that disabling Telnet is not going to give you an operational challenge, it's definately a good idea to disable it globally and always use SSHv2 instead.


Regarding the ACLs, I tend not to worry about those from interfaces facing interior networks (so as to allow for management flexibility) unless a customer has a strict industry compliance conformity to adhere to. For interfaces facing public networks, I tend to apply a very strict ACL.


Furthermore, I tend to actually have that public ACL redirect incoming SSHv2 sessions from a non-well-known port. For example, I set my SSHv2 client with a destination port of 650 on the controller IP, and then set a redirect rule in the controller ACL, redirecting port 650 traffic to 22. Before that rule, I deny port 22. The result is that you're less prone to some brute SSH and scripted attacks. Less alerts on your monitoring platforms too!



Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite

Re: Disable Telnet or Apply ACL?

By default, telnet is disabled....

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: Disable Telnet or Apply ACL?

we have configured 5 VLANs on the controller. I want only one VLAN can access through telnet and other VLANs must be restricted.

Please advice how to configure ACL for this sceinario.

Thank You

Thanks & Regards
Syed Murad Ali

Re: Disable Telnet or Apply ACL?

Do you mean;


A. You only want clients with an IP source address within that one specific VLAN to be able to telnet to the controller




B. You want telnet permitted to all IP routed traffic (regardless of source IP) coming in via the SVI associated with that specific VLAN on the controller?


Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: