Showing results for 
Search instead for 
Did you mean: 


Access list isses on VTY lines

Hi I was hopeing some one could explain how to do this.

I am trying to restrict my core switchs (4506's) to only accept incomming SSH and Telent (managment) traffic that is directed to a single ip interface.

I thought I could do this by placing a access list on the VTY lines that says

#access list 101 permit tcp any host eq 22 log

#access list 101 permit tcp and host eq 23 log

#access list 101 deny ip any any log

and simple assign that list inbound to the VTY interface.

however this then blocks all access to the VTY line? the log is as shown

Jan  8 11:41:54.247: %SEC-6-IPACCESSLOGP: list 101 denied tcp ->, 1 packet

So i can see what is happening becasue the 4506 is the default gate way for the network, it is seeing the packet as directed to self and no to the address.

My question is, is there any way around this. I was hoping to be able to restrict managment access to the address,

I dont want to stop other sub nets being able to manage this swith, but they would all ahve to mange it through a single IP address. this switch may end up with many subnet interfaces and I would rather be able to say allow this interface and deny all others by default, than have to manualy deny all other interfaces one by one.

Any ideas how I can get this to work ?




To restrict the access of the switch  via vty just do the below configuration in switches so that only permitted ip' can access the switch via telnet

ip access-list standard admin

Cisco_1811#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco_1811(config)#line vty 0 15
Cisco_1(config-line)#access-class admin in

Hope that helps out your query !!



See this still allows Access via any interface IP address the switch/router is configured with.

I want to restricit managment ment to a single interface on the routers/switch.

At the moment uses are assigned an access list as they log on to the network.

which says something like

deny ip any

deny tcp any RDP

permit any any.

So they are denied acess to different parts of the network depending what group they are in.

The idea being that no matter what PC they log on to in what ever subnet they will always be denided access based on the user.

the problem with your solution is that then the managemnt uinterface can only be access from one PC or subnet, as it is based on the source address

I want to limit it based on the distination address,

IE, not who it is comming from, but to what IP address it is directed to.

Then if I say that a user can / can't reach the (managment subnet) then I can centraly managem access to the switch managent.

Clear your question in breif manner you want create management restriction or want to block different network from one lan to other.



I want to do exactly what you have said

assing an access list on to the VTY line,

but i want to filter based on the destination address (not the source address.)


Ok !!

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
access-class access-list-number {in [vrf-also] | out}
no access-class access-list-number {in | out}

Syntax Description

Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

Restricts incoming connections between a particular Cisco device and the addresses in the access list.

Accepts incoming connections from interfaces that belong to a VRF.
Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.


The following example defines an access list that permits only hosts on network to connect to the virtual terminal ports on the router:
access-list 12 permit
line 1 5
access-class 12 in

The following example defines an access list that denies connections to networks other than network on terminal lines 1 through 5:
access-list 10 permit
line 1 5
access-class 10 out

Hope that helps out your query !!




I know this question was asked quite awhile ago but I'm sure people are still trying to find an answer to this question.  

I'm currently studying for my CCNA exam and in one of the labs it asks to apply an ACL to the VTY lines that would allow access to only one of the local IP Addresses configured on a router(say loopback 0). this cannot be done (at least in any of the GNS 3 devices I have setup). To only allow Telnet/SSH access to one of the configured addresses, you must apply the ACL to an interface, not the VTY lines.

I hope this helps anyone else out there that is currently looking for a solution to this problem.


Ok so in my case I have a router with mgmt interface (int mgmt 0) with ip address 

Now I want that my network administrator sholuld telnet in to the router using only this int mgmt IP and Not any other loopback OR interface IP configured on the router ? How can I achive this ?

I do not know if this you have figured out or not but always remember that vty lines are on the managment plane. The vty lines will always only allow or block traffic on the vty level session. Depending on what physical interfaces you have you will have to place ACLs on that to block traffic from coming into those physical interfaces first and if permitted they will make their way to the vty lines. 

Content for Community-Ad