CCNA LAB

ACL To Deny Telnet/SSH From A Network On Cisco Router – CCNA Lab

In this article, I will explain how we can stop access telnet by any host in a network. So stop telnet from accessing by a host of the network, I will use ACL. Why we would do that? I think you must think we want to block telnet for particular hosts or for a network. So friends block or deny hosts to access TELNET for security purposes. Yes, friends, we do this because we don’t want to give access to any unauthorized person to enter our system. So for safety reasons we filter the network traffic and allow some particular hosts to access telnet.

Friends, before moving on we must understand the concept of ACL. If you are already aware of ACL then it’s very good for you. But if you don’t know about ACL then don’t get worried, I’m here to tell you a brief knowledge of ACL so that you can understand the whole concept easily.

So let’s start with ACL –

QUE. What is the ACL? How does ACL works?

  • ACL stands for Access Control Lists.
  • ACL is a mechanism for identifying particular traffic.
  • In other words, ACL is an application to filter traffic into or out of a router interface.
  • So if we have an ACL on one router it will allow or deny services on the network.
  • To allow or deny any traffic on the network, we must create an access list on the router.
  • In the access list, we specify the hosts and networks that we want to allow and deny.
  • ACL either permits or denies traffic based on protocol, port number, source, destination, and time range. The range of customization is massive.

Types of ACL :

There are two types of ACL –

  • Standard Access Control Lists (ACLs) are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network. … Standard Access-list – These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite.
  • Extended Access Control Lists (ACLs) act as the gatekeeper of your network. They either permit or deny traffic based on protocol, port number, source, destination, and time range

So friends this is a brief overview of  ACL and its types.  Beginners must have at least this level of knowledge.  Now let’s start  –

Network Topology For ACL

Network Topology For ACL

 

Summery Of  Topology Diagram –

In this Lab, I have 3 Cisco PT-Routers, 3 switches, and 3 Pc Clients. I Connected Router3 with the cloud from where we will access the internet.  And On Router1, I will configure Telnet and ACL to block Telnet services.

Router3
  • Int Fa0/0 =  Network 1.0.0.1/8
  • Int Se2/0 = Network 6.0.0.1/8
  • Int Se3/0   =  Network 2.0.0.1/8
Router2
  • Int Fa0/0 =  Network 4.0.0.1/8
  • Int Se2/0 = Network 2.0.0.2/8
  • Int Se3/0   =  Network 3.0.0.1/8
Router1
  • Int Fa0/0 =  Network 5.0.0.1/8
  • Int Se2/0 = Network 3.0.0.2/8

Allowed Networks For Telnet Access –

  • Network 1.0.0.0/8
  • Network 2.0.0.0/8
  • Network 3.0.0.0/8
  • Network 5.0.0.0/8
  • Network 6.0.0.0/8

Denied Network for Telnet Service –

  • Network 4.0.0.0/8

So friends this is a brief overview of this topology. Now follow the below steps to perform this lab –

Step1. Configure the basic configuration on all routers

Step2. Give Static IP Address to all PC clients.

Step3. Do routing on the routers.

Step4. Ping all PC to other Network PC to make sure they are connected.

Step.5. Enable the Service of Telnet on Router1.

Step6. Create Standard ACL for Networks which you want to permit or deny for the service of Telnet.

Follow these 6 steps to complete this lab after these 6 steps check from all 3 networks 1.0.0.0/8, 4.0.0.0/8, and 5.0.0.0/8 that –

Can you access telnet?

All networks can access Telnet?

Which Network can’t access Telnet?

Perform this lab to answer these questions.

Now follow my commands to get the answer to the above questions.

Router 1

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 1.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit     
Router(config)#interface Serial2/0

Router(config-if)#ip address 2.0.0.2 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit    
Router(config)#interface Serial3/0

Router(config-if)#ip address 6.0.0.1 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit
Router(config)#router rip

Router(config-router)#network 2.0.0.0

Router(config-router)#network 3.0.0.0

Router(config-router)#network 4.0.0.0

Router(config-router)#exit

Router 2

Router>enable

Router#configure terminal

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 4.0.0.1 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit
Router(config)#interface Serial2/0

Router(config-if)#ip address 2.0.0.1 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit  
Router(config)#interface Serial3/0

Router(config-if)#ip address 3.0.0.1 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit 
Router(config)#router rip

Router(config-router)#network 2.0.0.0

Router(config-router)#network 3.0.0.0

Router(config-router)#network 4.0.0.0

Router(config-router)#exit

Router 1

Router>enable

Router#configure terminal

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 5.0.0.1 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit
Router(config)#interface Serial2/0

Router(config-if)#ip address 3.0.0.2 255.0.0.0

Router(config-if)#no shutdown

Router(config-if)#exit
Router(config)#router rip

Router(config-router)#network 5.0.0.0

Router(config-router)#network 3.0.0.0

Router(config-router)#exit

Now it’s time to configure ACL(Access Control List) on Router 1 so that we can block Telnet service for Network 4.0.0.0/8. So let’s do this –

First, enable the service of Telnet –

Router 1

Router>enable

R1#config terminal

Router(config)#enable password ccna

Router(config)#line vty 0 4

Router(config-line)#password telnet

Router(config-line)#login

Router(config-line)#exit

Now create the Access list For the Network which you want to allow or deny –

Router(config)#access-list 2 permit 1.0.0.0 0.255.255.255

Router(config)#access-list 2 permit 2.0.0.0 0.255.255.255

Router(config)#access-list 2 permit 3.0.0.0 0.255.255.255

Router(config)#access-list 2 permit 5.0.0.0 0.255.255.255

Router(config)#access-list 2 permit 6.0.0.0 0.255.255.255

Router(config)#access-list 2 deny 4.0.0.0 0.255.255.255

Router(config)#line vty 0 4

Router(config-line)#access-class 2 in

Router(config-line)#exit 

 

Friends we are done with the commands. It’s time to check the Network that which network can access Telnet and which is not?

So in the below image, I tried to log in on the router from the network 4.0.0.0/8 the PC IP add is 4.0.0.4 telnet but it refused to give access.  It was because we deny the traffic from network 4.0.0.0/8 in the ACL list.

 

Similarly, I log in on Router From Network 1.0.0.0/8 to access. Here I can easily Telnet on Router1 because allowed this network traffic in the ACL list you can in the below the IP address of the PC client is 1.0.0.3 and it is trying to access telnet and after putting password for telnet it is able to access the telnet service form this PC.

For practical lab, please watch the video 🙂

So friends this is all about How to configure ACL To Deny Telnet/SSH From A Network On Cisco Router. Friends, if you have doubts or any queries about this post then don’t hesitate to contact me. If you like my posts please share them with your friends.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s