12 Replies Latest reply: Jan 15, 2012 11:55 AM by Elvin Arias RSS

    Transport Input vs Output

    Dr. RDX

      If i want to restrict a router to be connected using only SSH i can put transport input ssh under the line vty and if I want to do the same for telent i can type in transport input telnet .

       

       

      When do we need to use transport output command ? As per Cisco doc it says

       

       

      Determines the protocols that can be used for outgoing connections from a line.

       

       

      I setup 2 routers each directly connected . R1 was configured to accept telnet only while R2 was configured as transport output ssh .

       

       

      Still i can telnet into the other router .

        • 1. Re: Transport Input vs Output
          DelVonte

          If you only included the transport output command on R2, then you did not define the transport input. So default would apply to R2 on incoming connections, which is allow Telnet.

          • 2. Re: Transport Input vs Output
            Elvin Arias

            Firstable, doing this test from the console will not prove anything, first telnet or ssh into the devices, then prove the feature between the routers.

             

            The "transport output" dictates what protocol do the device it's gonna use for it's connection to other ends. If i say "transport output ssh" on the VTY line that says that i will only be able to use SSH to connect to from my device to the other end, enforcing an SSH only sort of policy.

             

            It's Telnet still possible even with this command? Yes, it is. How? if you put the IP address of a remote destination on privilege exec mode it will use Telnet to connect to the other end, mocking the already configured policy (note that if you put the "telnet" command you will not be allowed to Telnet to the other end, since the "transport output ssh" was already entered).

             

            How can you fix this security hole? Easy, this is fixed with the "transport preferred none" command inside the VTY line, so no protocols will be prefered on the VTY line, and this will be resolved.

             

            Prove it, an you will see an interesting behavior. Have fun!

             

            Elvin

            • 3. Re: Transport Input vs Output
              Paul Stewart  -  CCIE Security

              One thing to also keep in mind is where the "output" commands are placed.  If you are trying to restrict/allow something from device a to device b and you have to restrict outbound on device a (as opposed to inbound on device b), the placement can be confusing.  The reason for this is that it can be placed under line con, line aux or line vty.  That's easy, it should be under vty--right?  Actually it depends.

               

              The source device actually looks at "transport output" and "access-class x out" based on where the exec process was spawned from.  So if you connected into device A via telnet or ssh or telnet, you correctly assume that this should be added under line vty.  However, if your original connection to your source device (device A) is through console, your subsequent outbound restrictions would actually go under line con. 

               

              Although the access-class out concept is different, the placement consideration is similar.  You may wish to take a look at Anthony's video below to clear up the placement aspect of the command before you start trying to figure out its function.

               

              • 4. Re: Transport Input vs Output
                Dr. RDX

                Thanks a lot Paul . Anthony is doing a great job at StromWind

                • 5. Re: Transport Input vs Output
                  Elvin Arias

                  Yes, he's videos are great!

                   

                  Elvin

                  • 6. Re: Transport Input vs Output
                    Steven Williams

                    Output is for when you are connecting to other devices from a current devices VTY lines. So if you are on router 1 and you want to connect to router 2 from router 1 and output SSH is defined then you can only use SSH from router 1 to connect to router 2. I have my environment setup this way as I do not allow telnet anywhere on my network. HTH

                    • 7. Re: Transport Input vs Output
                      Paul Stewart  -  CCIE Security

                      Output can also be when you are connecting to other devices from console or aux.  For example, you console into R1 and telnet to R2.  If you wanted to disallow this in R1, you would do the following in R1.

                       

                      line con 0

                      transport output none

                       

                      Although we typically equate telnet with a vty, we can source it from a console session.  These transport and access-class commands are from the perspective of the exec process.  If I connect to con 0, where is the exec process attached to?  The answer is con 0.  If you add this command, then logout (this is required to kill the current exec process and allow a new one to start), press enter to start a new exec process, you will no longer be able to telnet out of R1.  Now if I didn't add this same command to "line vty 0 15", then I could telnet into R1.  From there I could telnet to R2.  HTH.

                      • 8. Re: Transport Input vs Output
                        Elvin Arias

                        Are you sure that the "transport output ssh" command will only allow SSH? Enter to privileged exec mode and put the IP address of the the device you want to Telnet to, and see the magic! Remember just the IP address without the "telnet" keyword.

                         

                        Elvin

                        • 9. Re: Transport Input vs Output
                          Paul Stewart  -  CCIE Security

                          Elvin, good question.  I labbed this up to confirm.  "transport output ssh" will keep a user from connecting to a station via telnet if applied to the appropriate place for the exec process.  See below:

                           

                          Capture.PNG

                           

                          Okay, let's test from R1:

                           

                          //Let's test telnet

                          R1#1.1.1.2

                          Trying 1.1.1.2 ... Open

                           

                           

                           

                           

                          User Access Verification

                           

                           

                          Username: cisco

                          Password:

                          R2>exit

                           

                           

                          [Connection to 1.1.1.2 closed by foreign host]

                           

                           

                          //and test ssh

                          R1#ssh -l cisco 1.1.1.2

                           

                           

                          Password:

                           

                           

                          R2>exit

                           

                           

                          [Connection to 1.1.1.2 closed by foreign host]

                           

                           

                          //now apply the restriction and log all the way out

                          //I'm connecting to line con 0, so that's where the

                          //exec process is spawning from. We need to apply

                          //the restriction there

                           

                           

                          R1#conf t

                          Enter configuration commands, one per line.  End with CNTL/Z.

                          R1(config)#line con 0

                          R1(config-line)#tran

                          R1(config-line)#transport ou

                          R1(config-line)#transport output ssh

                          R1(config-line)#exit

                          R1(config)#exit

                          R1#exit

                           

                           

                           

                           

                          <--snip a bunch of whitespace-->

                           

                           

                           

                           

                           

                           

                           

                           

                          R1 con0 is now available

                           

                           

                           

                           

                           

                           

                           

                           

                           

                           

                          Press RETURN to get started.

                           

                           

                           

                           

                           

                           

                          <--snip a bunch of whitespace-->

                           

                           

                           

                           

                          *Mar  1 00:02:44.499: %SYS-5-CONFIG_I: Configured from console by console

                          R1>en

                           

                           

                          //telnet without the telnet command

                          //this works unless it is disabled

                           

                           

                          R1#1.1.1.2

                          % Unknown command or computer name, or unable to find computer address

                           

                           

                          //explicit telnet command

                          R1#telnet 1.1.1.2

                          % telnet connections not permitted from this terminal

                           

                           

                          //ssh should still work

                          R1#ssh -l cisco 1.1.1.2

                           

                           

                          Password:

                           

                           

                          R2>exit

                           

                           

                          [Connection to 1.1.1.2 closed by foreign host]

                          R1#

                          • 10. Re: Transport Input vs Output
                            Elvin Arias

                            That's what i was talking about. Another way to prevent this behavior is with the "transport preferred none" command.

                             

                            Test it out and give me your impresions!

                             

                            Elvin

                            • 11. Re: Transport Input vs Output
                              Paul Stewart  -  CCIE Security

                              That's very cool.  I never knew that.  So that is a way to disable the router from trying to telnet to anything that isn't a command.  In practice, it saves time like "no ip domain-lookup", but from a different perspective. 

                              • 12. Re: Transport Input vs Output
                                Elvin Arias

                                Yes! It's a pretty cool command, that was the other way i was talking about. If you do the "transport preferred none" on the VTY line (or wherever) it will not prefer any protocol, so you'll have to hardcode what you wanna do, in this case the "transport output ssh" command will work perfectly.

                                 

                                Elvin