Demonstration: Restrict Access To VTY (Telnet)

Demonstration: Restrict Access To VTYTelnet

Join the group for technical exchange and Q & amp; A: 1952289

During Telnet access, although the user name and password used for login are used to authenticate the visitor's identity, Telnet will allow IP contacts from any source to access the network device, access sources cannot be restricted, which poses a security threat to telnet to the network device. Therefore, this section describes how to restrict the security of VTY access.

Demonstration objectives:Configure VTY line access security.

Demo environment:The experiment environment is shown in Figure 10.33.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1606104c9-0.png "title =" 1.png" alt = "012414135.png"/>

Demonstration Background:First, complete the basic network configurations in the experiment environment shown in the following figure, including configuring IP addresses for Routers R1 and R2 and computers, and starting routes in the network, make sure that each IP node on the network can Ping each other, and then configure the router R1 to allow telnet. After completing the configuration, make sure that any IP node in the experiment environment can successfully Telnet to the router R1, and then use the VTY control access method to achieve this. Only IP nodes of 192.168.2.2 and 192.168.2.100 can telnet to the router R1, other IP nodes, such as 172.16.2.1, cannot access router R1 through telnet.

Demo steps:

Step 1:After completing the basic configuration of the experiment environment, configure the telnet function of the router R1, and then complete the telnet process on the router R2, as shown in Figure 10.34, it should be noted that, whether it is the telnet Destination Address 192.168.2.1 or 172.16.1.1, it is actually in the telnet router R1, because these two IP addresses are the IP addresses on the router R1, only in different interfaces, remember, as long as the routes of the two IP addresses are reachable and the communication is not faulty, any IP addresses in the two addresses can be used to telnet to the router R1.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1606105N7-1.png "title =" 2.png" alt = "012503150.png"/>

Note: according to the experiment environment, the source address of router R2 telnet R1 is 192.168.2.2. By default, if the source address is not explicitly stated, the IP address of the interface connecting router R2 to the destination router R1 is used as the source IP address of the Telnet router R1. To declare the source IP address during the Telnet process, use the following method.

As shown in figure 10.35, vror2 R2 uses different source addresses E1/0 192.168.2.2 and Lo1 172.16.2.1) to Telnet vror2 R2, because router R1 does not limit the access source of Telnet, you can use any source IP address to telnet router R1. If the configuration is correct, this includes the Telnet router R1.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1606105161-2.png "title =" 3.png" alt = "012613784.png"/>

Step 2:Currently, router R1 restricts access to VTY. Only the source IP address of 192.168.2.2 and the host A192.168.2.100 can be used for Telnet to router R1. other source IP addresses will be used as illegal IP addresses, the Telnet to router R1 cannot be completed. The specific configuration is as follows:

R1 (config) # access-list 1 permit host 192.168.2.2 * allow 192.168.2.2

R1 (config) # access-list 1 permit host 192.168.2.100 * allow 192.168.2.100

R1 (config) # line vty0 4 * enter VTY line 0-4.

R1 (config-line) # access-class1 in * applies Access Control List 1 to the ingress of the VTY line.

R1 (config-line) # exit

Step 3:After completing the preceding configuration, use different source IP addresses to Telnet router R1 again. As shown in Figure 10.36, using 172.16.2.1 as the source IP address to log on to router R1 is denied, however, if 192.168.2.2 is used as the source IP address to log on to router R1, computer A should also log on to router R1.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160610M04-3.png "title =" 4.png" alt = "012708742.png"/>

This article is from the "unknown Christ" blog. For more information, contact the author!