Hi Sorry yes I was a bit vague there.

I'm trying to block a particular host from Telnetting to a router and allow another.

I have managed to do this with a standard access-list but now I'm trying with an extended.

I've applied this to the VTY lines of the router using access-class but even though I allowed the particular host through it still gets blocked?

ip access-list extended NO_TELNET

permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log

deny   ip any any log

!

line vty 0 4

access-class NO_TELNET in

password telnet

login

%SEC-6-IPACCESSLOGP: list NO_TELNET denied tcp 10.0.0.1(55916) -> 0.0.0.0(23), 1 packet

R1#sh ip access-list

Extended IP access list NO_TELNET

    10 permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet log

    20 deny ip any any log (2 matches)

The log entry says the source of traffic was 10.0.0.1. Is that on the router itself with 10.0.0.2 being another interface on the router?

If so, that won't work because access-lists don't apply to traffic generated from the router to itself. You need to introduce  traffic to an interface to make an inbound access-list see it and act accordingly.

Additionally, vty lines require you used numbered access-lists (12.2 reference and 15.0 reference). It can be extended but must be numbered not named.

HI,

I just tried a numbered list but I still can't get in. This is the set up I have:

You're right, the configuration you show looks straightforward and should work from what I've seen posted so far.

Kind of obscure but are there any VRFs on the target router?

One other suggestion would be to make the access list a simple "permit tcp host 10.0.0.2 host 10.0.0.1" and then restrict the access to telnet via "transport input telnet" in the line vty section.