1. Manuals
  2. Brands
  3. Allied Telesis Manuals
  4. Switch
  5. Layer 3 Switches
  6. Network manual

Whitelisting Telnet Hosts - Allied Telesis Layer 3 Switches Network Manual

Managed layer 3 switches
Hide thumbs
Table of Contents

Advertisement

Whitelisting telnet hosts

For any remote management of a network device, Allied Telesis recommends you use SSH,
Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to
the switch by disabling the telnet server. However, if you persist with telnet, you should make
a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet
secure, but it does reduce the associated risks.
Building a whitelist through layer 3 filters
On Rapier, Rapier i, AT-8800, AT-8700XL and AT-8600
Series switches, use layer 3 filters to build a whitelist.
Configuration
1.
Create a filter match definition that specifies destination
IP address, protocol and destination TCP port as the
criteria that the filter will match. The switch
automatically assigns this filter an ID of 1 (unless other
layer 3 filters already exist).
2.
Create a filter entry that specifies the switch's IP address
as the destination address, TCP as the protocol and 23
as the port. Give it an action of deny.
3.
Create another filter match definition with source and destination IP addresses, both with
32-bit masks.
4.
Create filter entries for the second filter. In each entry, specify a permitted host as the
source and the switch's IP address as the destination. Give the entries an action of nodrop.
The first filter blocks (action=deny) any incoming telnet packets with the switch's
destination IP address. The second filter reverses the first filter by undoing the previous
denial of IP access to the switch—but only for the permitted source IP addresses.
To permit only the host with IP address 172.30.1.144 to telnet to the switch 172.28.40.70:
Example
Create A Secure Network With Allied Telesis Managed Layer 3 Switches
add switch l3filter match=dipaddress,protocol,tcpdport dclass=32
add switch l3f=1 entry protocol=tcp dipaddress=172.28.40.70
tcpdport=23 action=deny
add switch l3filter match=dipaddress,sipaddress sclass=32
dclass=32
add switch l3filter=2 entry sipaddress=172.30.1.144
dipaddress=172.28.40.70 action=nodrop
Managing the device securely
Products
AT-8600 Series
AT-8700XL Series
Rapier i Series
Rapier Series
AT-8800 Series
Software Versions
All
12
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Allied Telesis Layer 3 Switches

Related Content for Allied Telesis Layer 3 Switches

This manual is also suitable for:

At-8600At-8700xlAt-8800Rapier iSwitchbladeAt-9800 ... Show all

Table of Contents

Save Article as PDF