cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1890
Views
0
Helpful
8
Replies

VTY access restriction

nyami.david
Level 1
Level 1

Hello everybody,

we have been pondering on this problem for days without a solution.We would like to restrict  the ssh access from a specific source IP address to a given vty. let's say whenever source A with IP  X.X.X.X logs in it will be redirected to vty 5 . Even if vty 0 through 4 are free.

We tried to solve this problem using access-lists. by denying the Host A on all vty except vty 5. But it did not work. The config looks like this:

access-list 10 deny X.X.X.X

access-list 10 permit Y.Y.Y.Y

acces-list 11 permit X.X.X.X

access-list 11 permit Y.Y.Y.Y

line vty 0 4

access-class 10 in

line vty 5

accesss-class 11 in

Thanks in adavance. Any other ideas are welcomed.

P.S: funnily it worked in Packet tracer

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

The VTY port is randomly selected, thus I suspect that this would sometimes work and sometimes it won't. To make this work correctly I would suggest using rotary groups. That way you can tie a specific port to a specific VTY line:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-ssh-term-line.html

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

8 Replies 8

Tim Y
Level 1
Level 1

Hi,

Can you confirm which IP you don't want to be able to use VTY 0 4, and show us the access lists?

What you're doing should work. Are you certain it failed? You can use the "who" command in Privileged EXEC mode to see which VTY line you have connected to.

Out of curiosity, why are you doing this?

Regards,

Tim

Hello Tim, 

It does not work. I have tried it on IOS and IOS-XE.

the IP could be any IP (I have used 10.2.1.1 for the test in the lab). Maybe you can try it. We did it 2 times and it did not work.

We are installing a new automation tool that connects per SSH to our equipments.  We would like to limit the sessions it starts on the router and if possible to a specific VTY. As I said in the original post funnily it works on Packet Tracer

nspasov
Cisco Employee
Cisco Employee

The VTY port is randomly selected, thus I suspect that this would sometimes work and sometimes it won't. To make this work correctly I would suggest using rotary groups. That way you can tie a specific port to a specific VTY line:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-ssh-term-line.html

I hope this helps!

Thank you for rating helpful posts!

Does IOS-XR provide such a funtionality, if no is there a workaround?

Cheers

David

nyami.david
Level 1
Level 1

Does IOS-XR provide such a funtionality, if no is there a workaround?

Cheers

David

I have not done it with XE switches/code but it seems like it is supported. Here is the config guide for one of the switches:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-2_4_e/configuration_guide/b_1524e_consolidated_2960xr_cg/b_1524e_consolidated_2960xr_cg_chapter_01011011.html

I hope this helps!

Thank you for rating helpful posts!

We tested it on XE switches and it worked. My question was on IOS-XR though (ASR9k)

Ops, sorry about that! I read XE and not XR :)

So, I have never worked with XR routers so I am not sure. However, doing a quick google search suggests that the "rotary"command is NOT available for that IOS. But, I also found the following posts that has an alternative method with using VTY-Pools:

http://ccie-in-3-months.blogspot.com/2011/09/aaa-and-vtys-in-ios-xr-bingo.html

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: