topic The VTY port is randomly in Network Access Control

VTY access restriction

nyami.david — Mon, 11 Mar 2019 06:48:54 GMT

Hello everybody,

we have been pondering on this problem for days without a solution.We would like to restrict the ssh access from a specific source IP address to a given vty. let's say whenever source A with IP X.X.X.X logs in it will be redirected to vty 5 . Even if vty 0 through 4 are free.

We tried to solve this problem using access-lists. by denying the Host A on all vty except vty 5. But it did not work. The config looks like this:

access-list 10 deny X.X.X.X

access-list 10 permit Y.Y.Y.Y

acces-list 11 permit X.X.X.X

access-list 11 permit Y.Y.Y.Y

line vty 0 4

access-class 10 in

line vty 5

accesss-class 11 in

Thanks in adavance. Any other ideas are welcomed.

P.S: funnily it worked in Packet tracer

Hi,

Tim Y — Fri, 27 May 2016 20:33:25 GMT

Hi,

Can you confirm which IP you don't want to be able to use VTY 0 4, and show us the access lists?

What you're doing should work. Are you certain it failed? You can use the "who" command in Privileged EXEC mode to see which VTY line you have connected to.

Out of curiosity, why are you doing this?

Regards,

Tim

Hello Tim,

nyami.david — Sat, 28 May 2016 23:57:18 GMT

Hello Tim,

It does not work. I have tried it on IOS and IOS-XE.

the IP could be any IP (I have used 10.2.1.1 for the test in the lab). Maybe you can try it. We did it 2 times and it did not work.

We are installing a new automation tool that connects per SSH to our equipments. We would like to limit the sessions it starts on the router and if possible to a specific VTY. As I said in the original post funnily it works on Packet Tracer

The VTY port is randomly

nspasov — Fri, 03 Jun 2016 16:16:42 GMT

The VTY port is randomly selected, thus I suspect that this would sometimes work and sometimes it won't. To make this work correctly I would suggest using rotary groups. That way you can tie a specific port to a specific VTY line:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-ssh-term-line.html

I hope this helps!

Thank you for rating helpful posts!

Does IOS-XR provide such a

nyami.david — Tue, 28 Jun 2016 14:23:56 GMT

Does IOS-XR provide such a funtionality, if no is there a workaround?

Cheers

David

Does IOS-XR provide such a

nyami.david — Tue, 28 Jun 2016 14:24:39 GMT

Does IOS-XR provide such a funtionality, if no is there a workaround?

Cheers

David

I have not done it with XE

nspasov — Tue, 28 Jun 2016 17:29:43 GMT

I have not done it with XE switches/code but it seems like it is supported. Here is the config guide for one of the switches:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-2_4_e/configuration_guide/b_1524e_consolidated_2960xr_cg/b_1524e_consolidated_2960xr_cg_chapter_01011011.html

I hope this helps!

Thank you for rating helpful posts!

We tested it on XE switches

nyami.david — Wed, 29 Jun 2016 20:27:08 GMT

We tested it on XE switches and it worked. My question was on IOS-XR though (ASR9k)

Ops, sorry about that! I read

nspasov — Thu, 30 Jun 2016 07:03:34 GMT

Ops, sorry about that! I read XE and not XR 🙂

So, I have never worked with XR routers so I am not sure. However, doing a quick google search suggests that the "rotary"command is NOT available for that IOS. But, I also found the following posts that has an alternative method with using VTY-Pools:

http://ccie-in-3-months.blogspot.com/2011/09/aaa-and-vtys-in-ios-xr-bingo.html

Thank you for rating helpful posts!