Configuring an ACL on VTY Lines (Telnet/SSH)
Welcome to Network Engineer Pro. I’m Rafael, CCIE 64356 in routing and switching.
I’m working on ton of content (videos, labs and more) to help you learn networking. If you want to stay up to date on what I’m working on and be the first to know then head to my website where you can sign up and get notified:
➤ https://www.networkengineerpro.com/
You can also follow me on Facebook:
➤ https://www.facebook.com/NetworkEngineerPro
Amazon affiliate links to recommended reading material
The CCNA 200-301 Official Cert Guide Volume 1
➤ https://amzn.to/3AWwjXh
The CCNA 200-301 Official Cert Guide Volume 2
➤ https://amzn.to/3wv81QQ
For those of you who want to take your studies to the CCIE level, here are the first two books(of many) you should get your hands on.
Routing TCP/IP, Volume 1
➤ https://amzn.to/3ARnVZj
Routing TCP/IP, Volume 2
➤ https://amzn.to/3k8wfxB
————————————————————————————————————–
If you are new and don’t know how SSH works, watch this. It will bring you up to speed.
SSH Tutorial
In this video I explain and show you how to configure an Access Control List (ACL) and apply it to your VTY Lines (Telnet or SSH).
Configuring SSH is a must, never use TELNET!
After applying the basic configuration to get SSH up and running, technically anyone with IP reachability to the router or switch can potentially connect to it via SSH. If they have the credentials and malicious intent then they can do whatever they want.
Allowing users to SSH to a network device from any IP can be a security concern for some organizations. To address this you can restrict who access the VTY lines on a device by applying an ACL inbound on those VTY’s.
You can also control the destinations that the VTY’s from a router can reach by applying an access list to outbound VTY’s but I only focus on inbound in this video.
When you apply an ACL to VTY lines, it’s done by using the “access-class” command. You then reference a specific ACL and a particular direction (in or out).
The configuration for the extended access control list I used in this video is:
enable
conf t
ip access-list extended SSH-ACCESS
permit tcp 10.140.1.0 0.0.0.255 any eq 22
deny tcp any any log
I then applied it line VTY 0 15 on my router by using:
line vty 0 15
access-class SSH-ACCESS in
This allowed SSH from a specific subnet only.
I hope everyone enjoyed this video, if so subscribe and let me know in the comments, have an awesome day everyone and lab on!
#CCNA #CCNP #CCIE
Views : 2803
network engineer
Source by Network Engineer Pro