How To Control VTY (Telnet) Access
Active interfaces on a network router can be accesses by
users on the network if not properly secured.
Users or Hackers might try
telnetting the network router
through the VTY access. To stop this from happening, the best practice is for
you to use a standard IP access list to limit telnet access to every network or
IP address on the router. Applying standard
IP access list to the VTY lines eliminates the option of using telnet protocols
and destination address since it does not matter which interface address a user
or hacker is using as a target for the telnetting session.
Using standard IP
access list to restrict VTY access enables you to define which IP addresses are
allowed Telnet access to the router EXEC process. You can control which workstation
or network access your router with an ACL and an access-class
statement to your VTY lines
You can also use extended access lists; don’t get me wrong,
but that means you have to apply it inbound on every interface, imagine doing
this on a large network with dozens if not hundreds of interfaces!
We use the network topology below as example:
Below, we are going to create a standard IP access list that
permits only a host 192.168.30.2 (or hosts) to be able to telnet to the router
R1, the command and configuration look like this:
R1#config t
R1(config)#access-list 10 permit 192.168.30.10
R1(config)#lines vty 0 4
R1(config-line)#access-lass 10 in
The above configuration simply means that only the IP
address 192.168.30.10 or host is allowed
to Telnet or access to the R1 router.
