Configure and verify an ACLs to limit telnet and SSH access to the router

Exam: Cisco 200-301 - Cisco Certified Network Associate (CCNA)

This chapter will discuss all that you need to know under the topic “Configure and verify an ACLs to limit telnet and SSH access to the router” from the point of view of the CCNA exam. We hope that this will help you to prepare better for the exam. This topic is crucial from the exam point of view.

As we have already mentioned before ACL or (access control list) is basically a list of permissions that can be attached to an object. We will now discuss in details how the ACLs can be configured. ACL is nothing but a set of rule that helps to specify a set of condition that the packet must fulfil in order to be accepted. The switch will first need to check if an ACL can apply to a packet. In order to do this packet must be checked against all the conditions that are applied by the ACL. The switch will accept packets and process them that full fill the conditions. It will deny the packets that do not match and will drop them. The ACL can be effectively used to protect the host and network. The ACL can be applied on IP addresses, VLAN and also on MAC.

The permit and deny command is used to set the rules on a ACL. The source and the destination of the traffics must be mentioned in the rule. We will discuss how ACL can be applied on SSH (secure shell protocol) and on telnet now. The SSH is also a protocol and it provides a secured remote access connection to the network device. The communication with the client is encrypted in the SSH. The WAAS device is the one that is used limit the SSH and the telnet. The WAAS device is kept in the customer’s premises and it is managed by the service provider. The WAE contains the definition of the WAAS. The ACL that are defined in the router will get more importance compared to the ACL that are defined in the WAE.

When you are in the ACL configuration mode you can use the commands as list, move and delete. These commands can be used to delete and display specific entries. They can also change the order of the entry. This will allow you to list the entries on the basis of how they must be evaluated. If you want to get back to the global configuration mode you must exit the ACL configuration mode. To create the entry you must use the “deny” and the “permit” keyword as we have already mentioned above. This holds good while you apply the ACL on the SSH and the telnet too.

In case of the WAAS (wide area application server) device the ACL will often deny all the entries. This is exactly why one permit entry must be included in order to create a valid access list. Once the ACL is created in a WAAS device the access list can be used in the access group using the access-group command. This will also determine how the access list is applied. The access list can be applied to a specific command too. If you want to create an extended ACL you must enter the ip access –list extended in the global configuration mode. In case of the WAAS the standard access list can be used too. This list will provide access to the TFTP server or to the SNMP server.

The different types of ACL that can be used by the WAAS devices are as follows:

  1. Interface ACL – this ACL is the one that controls the traffic on a telnet and a SSH protocol. In this case the ACL rule applies only to the traffic that is supposed to reach the WAE. The command ip-access group interface is applied for this interface ACL. In this chapter we will be discussing this ACL in more details.
  2. Some other ACLS that are used in WAAS devices are interception ACL, SNMP ACL, WCCP ACL and transaction log flows ACL.

To use the interface ACL the following steps must be followed:

  1. It must have an application layer proxy firewall. This will ensure that there are no ports exposed. The WAAS device has an outside address that can be accessed from the internet but the inside addresses are private. It is the inside interface that can limit the SSH and the telnet.
  2. The WAE that uses the WCCP will mostly be located in the subnet of the internet router. The router and the WAE must always have an IP ACL. The IP access list get more priority over the IP ACLs.

The command that is used to limit the SSH access is mentioned below. This will accept the web traffic but will limit the access using the SSH.

WAE(config)# ip access-list extended testextacl

WAE(config-ext-nacl)# permit tcp any any eq www

WAE(config-ext-nacl)# permit tcp host any eq ssh

WAE(config-ext-nacl)# exit

Some points that must be kept in mind when the ACL is used in the WAAS devices are:

  1. The name of the ACL devices must be unique.
  2. Each of the WAAS central manager device can manage upto 50 IP ACL And 500 conditions per device.
  3. If any empty ACL is set on a WAAS it will permit all the traffic.
  4. The IP ACL name must not be more than 30 characters in length and there should not be any spaces between the characters. If the name starts with a number it cannot contain any non numeric numbers.
  5. Some previously configured IP ACL Can also be associated with the SNMP and the WCCP.

The topic of “Configure and verify an ACLs to limit telnet and SSH access to the router” is a huge one but these are some aspects of the topic that you must know well from the exam point of view. We hope that with these notes you will definitely be able to do much better in the exams.

Related IT Guides

  1. 200-301 practice test
  2. Configure and verify ACLs in a network environment
  3. Configure and verify Cisco NetFlow
  4. Configure and verify DHCP (IOS Router)
  5. Configure and verify EtherChannels
  6. Configure and verify initial switch configuration including remote access management
  7. Configure and verify interVLAN routing (Router on a stick)
  8. Configure and Verify IP SLA
  9. Configure and verify IPv4 Network Address Translation (NAT)
  10. Configure And Verify Manual and Autosummarization With Any Routing Protocol
  11. Configure and Verify Network Time Protocol (NTP)
  12. Configure and verify PPP
  13. Configure and verify static routing
  14. Configure and verify VLANs
  15. Configure And Verify VRF Lite
  16. Describe IP operations
  17. Describe the types, features, and applications of ACLs
  18. Identify and correct common network problems
  19. Recognize proposed changes to the network
  20. Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
  21. Select the Components Required to Meet a Network Specification
  22. Troubleshoot Layer 2 protocols
  23. Troubleshoot passive interfaces
  24. Verify network status and switch operation using basic utilities
100% Money Back

How to Claim the Refund / Exchange?

In case of failure your money is fully secure by BrainDumps Guarantee Policy. Before claiming the guarantee all downloaded products must be deleted and all copies of BrainDumps Products must be destroyed.

Under What Conditions I can Claim the Guarantee?

Full Refund is valid for any BrainDumps Testing Engine Purchase where user fails the corresponding exam within 30 days from the date of purchase of Exam. Product Exchange is valid for customers who claim guarantee within 90 days from date of purchase. Customer can contact BrainDumps to claim this guarantee and get full refund at Exam failures that occur before the purchasing date are not qualified for claiming guarantee. The refund request should be submitted within 7 days after exam failure.

The money-back-guarantee is not applicable on following cases:

  1. Failure within 7 days after the purchase date. BrainDumps highly recommends the candidates a study time of 7 days to prepare for the exam with BrainDumps study material, any failures cases within 7 days of purchase are rejected because in-sufficient study of BrainDumps materials.
  2. Wrong purchase. BrainDumps will not entertain any claims once the incorrect product is Downloaded and Installed.
  3. Free exam. (No matter failed or wrong choice)
  4. Expired order(s). (Out of 90 days from the purchase date)
  5. Retired exam. (For customers who use our current product to attend the exam which is already retired.)
  6. Audio Exams, Hard Copies and Labs Preparations are not covered by Guarantee and no claim can be made against them.
  7. Products that are given for free.
  8. Different names. (Candidate's name is different from payer's name.)
  9. The refund option is not valid for Bundles and guarantee can thus not be claimed on Bundle purchases.
  10. Guarantee Policy is not applicable to CISSP, EMC, HP, Microsoft, PMI, SAP and SSCP exams as provides only the practice questions for these.
  11. Outdated Exam Products.
Get 10% Discount on Your Purchase When You Sign Up for E-mail

This is a ONE TIME OFFER. You will never see this Again

Instant Discount

Braindumps Testing Engine

10% OFF

Enter Your Email Address to Receive Your 10% OFF Discount Code Plus... Our Exclusive Weekly Deals

A confirmation link will be sent to this email address to verify your login.

* We value your privacy. We will not rent or sell your email address.
Your 10% Discount on Your Purchase

Save 10%. Today on all IT exams. Instant Download

Braindumps Testing Engine

Use the following Discount Code during the checkout and get 10% discount on all your purchases:


Start Shopping