Controlling Telnet and SSH Access with ACLs

Access control lists (ACLs) can be used to control Telnet and SSH access to network devices. Telnet and SSH are both network protocols that allow remote access to devices, but SSH is considered more secure than Telnet because it encrypts traffic between the client and the server.

To control Telnet access with ACLs, you can create a named or numbered extended IP access list that denies Telnet traffic from specific source IP addresses and permits all other traffic. For example, to deny Telnet traffic from host 192.168.1.10 and permit all other traffic, you can use the following commands:

access-list 100 deny tcp host 192.168.1.10 any eq telnet

access-list 100 permit ip any any

This creates a numbered ACL with the name “100”. To apply this ACL to an interface, you can use the following command:

interface GigabitEthernet0/0

ip access-group 100 in

This applies the ACL to inbound traffic on interface GigabitEthernet0/0.

To control SSH access with ACLs, you can create a named or numbered extended IP access list that permits SSH traffic from specific source IP addresses and denies all other traffic. For example, to permit SSH traffic from host 192.168.1.10 and deny all other traffic, you can use the following commands:

access-list 101 permit tcp host 192.168.1.10 any eq ssh

access-list 101 deny ip any any

This creates a numbered ACL with the name “101”. To apply this ACL to an interface, you can use the following command:

interface GigabitEthernet0/0

ip access-group 101 in

This applies the ACL to inbound traffic on interface GigabitEthernet0/0. Note that these ACLs only control Telnet and SSH access to the device. They do not control access to specific commands or features on the device. To control access to specific commands or features, you can use other mechanisms such as privilege levels or role-based access control (RBAC).