Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
11121314151617181920
16
OL-11615-01
In the following example, Telnet and SSH access to VTYs 0 to 4 is restricted to host 172.16.1.1 only.
Switch(config)# access-list 10 permit 172.16.1.1
Switch(config)# line vty 0-4
Switch(config-line)# access-class 10 in
For more information on how to configure an access-class, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras
_r/1rfip1.htm#wp1017389
Locking Down Unused Ports
By default, all Ethernet ports on Catalyst switches running Catalyst OS are set to VLAN 1. In addition,
by default, many control protocols such as CDP, PAgP and VTP, use VLAN 1 to transmit and receive
packets across the network topology. Leaving all unused ports configured in VLAN 1 opens the chance
for unauthorized access. Anyone connecting to an unused port would gain access to the entire VLAN 1
and all the resources in it. For this reason, all unused ports should be disabled and put in an unused,
isolated VLAN. Disabling unused ports and placing them in an isolated VLAN helps contain any
unauthorized access attempts from ports not in use.
The same recommendations also apply to Catalyst switches running Cisco IOS software. However, there
are some differences in the default settings that should be noted. First, by default, in Cisco IOS all ports
are disabled on Catalyst 6500s Series switches and enabled on Catalyst 4500 Series switches. Second,
by default, all ports are set as routed interfaces, and in consequence they are not associated to a default
VLAN. However, as soon as a port is configured as a Layer 2 switched interface, the port is automatically
assigned to default VLAN 1.
In Catalyst OS, a port can be disabled using the set port disable command:
Console> (enable) set port disable
mod/port
This example shows how to disable a port using the set port disable command:
Console> (enable) set port disable 5/10
Port 5/10 disabled.
Console> (enable)
For more information on the set port disable command for the Catalyst 6500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/set_po
_r.htm#wp1468799
For more information on the set port disable command for the Catalyst 4500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/command/set_l_q.htm#wp1025937
In Catalyst OS, a port can be set to an unused VLAN using the set vlan command:
Console> (enable) set vlan
vlan mod/port
This example shows how the unused port is set to unused VLAN 560:
Console> (enable) set vlan 560 4/10
VLAN 560 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
560 4/10
For more information on the set vlan command for the Catalyst 6500, refer to the following URL: