CCIE Pursuit Blog

August 13, 2008

Internetwork Expert Volume II: Lab 12 – Section 9

Section 9 – Security – 3 Points

9.1 Traffic Filtering

Allow telnet access to r6 only from an NMS at 129.16.46.100.  Log all attempts from unauthorized devices.

Let’s start with our ACL – remember that we need to add and explicit deny statement for logging:

Rack16R6(config)#ip access-list ex TASK_9_1
Rack16R6(config-ext-nacl)#perm tcp host 129.16.46.100 any eq 23
Rack16R6(config-ext-nacl)#deny tcp any any eq 23 log

Now just apply this to the vty lines:

Rack16R6(config-ext-nacl)#line vty 0 4
Rack16R6(config-line)#access-class TASK_9_1 in

Verify:

Rack16R4#telnet 150.16.6.6
Trying 150.16.6.6 …
% Connection refused by remote host

Rack16R6#sh log | b Log Buffer
Log Buffer (4096 bytes):

Aug 13 14:17:37.053: %SYS-5-CONFIG_I: Configured from console by console
Aug 13 14:17:42.285: %SEC-6-IPACCESSLOGP: list TASK_9_1 denied tcp 129.16.46.4(43572) -> 0.0.0.0(23), 1 packet

Advertisements

1 Comment »

  1. i use std acl’s for vty access

    Comment by shef — September 5, 2008 @ 11:58 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: