01-05-2013 03:14 AM
If you're sure that disabling Telnet is not going to give you an operational challenge, it's definately a good idea to disable it globally and always use SSHv2 instead.
Regarding the ACLs, I tend not to worry about those from interfaces facing interior networks (so as to allow for management flexibility) unless a customer has a strict industry compliance conformity to adhere to. For interfaces facing public networks, I tend to apply a very strict ACL.
Furthermore, I tend to actually have that public ACL redirect incoming SSHv2 sessions from a non-well-known port. For example, I set my SSHv2 client with a destination port of 650 on the controller IP, and then set a redirect rule in the controller ACL, redirecting port 650 traffic to 22. Before that rule, I deny port 22. The result is that you're less prone to some brute SSH and scripted attacks. Less alerts on your monitoring platforms too!
01-07-2013 01:13 AM
we have configured 5 VLANs on the controller. I want only one VLAN can access through telnet and other VLANs must be restricted.
Please advice how to configure ACL for this sceinario.
Syed Murad Ali
ACMP ACMA CCNA
01-10-2013 07:02 AM
Do you mean;
A. You only want clients with an IP source address within that one specific VLAN to be able to telnet to the controller
B. You want telnet permitted to all IP routed traffic (regardless of source IP) coming in via the SVI associated with that specific VLAN on the controller?