4000 Router Series Fundamentals Configuration Guide

Controlling user access

Use ACLs to prevent unauthorized access and configure command authorization and accounting to

monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration

Guide.

Controlling Telnet/SSH logins

Use basic ACLs (2000 to 2999) to filter Telnet and SSH logins by source IP address. Use advanced ACLs

(3000 to 3999) to filter Telnet and SSH logins by source and/or destination IP address. Use Ethernet

frame header ACLs (4000 to 4999) to filter Telnet and SSH logins by source MAC address.

If an applied ACL does not exist or has no rules, no user login restriction is applied. If the ACL exists and

has rules, only users permitted by the ACL can access the device through Telnet or SSH.

Configuration procedures

To control Telnet logins:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Apply an ACL to filter

Telnet logins.

• telnet server acl acl-number

• telnet server ipv6 acl [ ipv6 ]

acl-number

By default, no ACL is used to filter

Telnet logins.

To control SSH logins:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Apply an ACL to filter

SSH logins.

• ssh server acl acl-number

• ssh server ipv6 acl [ ipv6 ]

acl-number

By default, no ACL is used to filter

SSH logins.

For more information about these

two commands, see Security

Command Reference.

Configuration example

Network requirements

Configure the device in Figure 32 to permit only Telnet packets sourced from Host A and Host B.