tailieunhanh - CCNA 1 and 2 Companion Guide, Revised (Cisco Networking Academy Program) part 91

Cisco Networking Academy Program CCNA 1 and 2 Companion Guide, Revised part 91 is the Cisco approved textbook to use alongside version of the Cisco Networking Academy Program CCNA 1 and CCNA 2 web-based courses. The topics covered provide you with the necessary knowledge to begin your preparation for the CCNA certification exam (640-801, or 640-821 and 640-811) and to enter the field of network administration. | Page 869 Tuesday May 20 2003 2 53 PM Restricting Virtual Terminal Access 869 Restricting Virtual Terminal Access Standard and extended ACLs apply to packets traveling through a router. They are not designed to block packets that originate within the router. By default an outbound Telnet-extended ACL does not prevent router-initiated Telnet sessions. In addition to physical ports or interfaces on the router such as Fa0 0 and S0 0 there are virtual ports. These virtual ports are called vty lines. There are five vty lines which are numbered zero through four as shown in Figure 20-16. For security purposes users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router. For example an administrator can configure the ACL to allow terminal access to the router for management or troubleshooting purposes while at the same time restricting access beyond this router. Figure 20-16 Restricting vty Access with ACLs Physical Port Ethernet 0 Virtual Ports vty 0-4 Restricting vty access is not commonly used as a traffic control mechanism instead it is for increasing network security. vty access is accomplished using the Telnet protocol to make a nonphysical connection to the router. As a result there is only one type of vty ACL. Identical restrictions should be placed on all vty lines because it is impossible to control which line a user will connect on. Whereas a vty ACL is created the same way as on an interface applying the vty ACL to a terminal line requires using the access-class command instead of the access-group command. Example 20-7 demonstrates creating and applying a virtual terminal access list. Example 20-7 Restricting vty Access with ACLs Creating the standard list Rtl config access-list 2 permit Rtl config access-list 2 permit Rt1 config access-list 2 deny any continues Page 870 Tuesday May 27 2003 2 21 PM 870 Chapter 20 Access Control Lists