Managing Network Devices
443
Access lists are in discussed in detail later in this chapter.
To place an access list on a VTY line, follow these steps:
1.
Create a standard IP access list that permits only the host or hosts you
want to be able to telnet into the routers to do so.
2.
Apply the access list to the VTY line with the access-class
command.
Here is an example of allowing only host 172.16.10.3 to telnet into a
router:
RouterA(config)#access-list 50 permit 172.16.10.3
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any
host from telnetting into the router except the host 172.16.10.3.
Controlling HTTP Access
HTTP can be used to gain access to a router or switch and both view and
change the configuration of the device. Because any active interface can be
used to allow access via HTTP, you can limit access by placing an access list
under the HTTP server command.
To turn on HTTP access, use the ip http server command. By default,
the enable secret password is used to gain access. When you set up usernames
and passwords, each user can be prompted for passwords when trying to
access the device via a network browser. You can use the ip access-class
command to add an access list to the HTTP server running on the device.
Here is an example of setting up a user with HTTP access from their host
172.16.10.1:
Router#config t
Router(config)#username tlammle password cisco
Router(config)#ip http server
Router(config)#access-list 10 permit host 172.16.10.1
Router(config)#ip http access-class 10
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com