Assigning ACL under Line VTY

Hossein Lotfi · ‎02-09-2015

Hey dears,

In my topology, there are two ip addresses on R1:

interface fa0/0: 1.1.1.1/24

interface loo0: 2.2.2.2/24

I want to login from R2 to R1 just to one of those ip addresses on R1. Actually I want to login just to 2.2.2.2 !

So, I am going to use ACL under Line VTY. But id doesn't work.

I know that I can simply use this ACL under interface fa0/0 which I've tested before and it worked.

Here is my current configuration:

***with this configuration R2 can login to both ip addresses***please find the attachment***

-----------------------------------------------------------------------------------------
Extended IP access list CISCO
10 deny tcp any host 1.1.1.1 eq telnet
20 permit ip any any

line vty 0 4
access-class CISCO in
password cisco
login
line vty 5 15
access-class CISCO in
password cisco
login

-----------------------------------------------------------------------------------------

Collin Clark · ‎02-12-2015

For VTY access you should use a standard access list. The router does not read all 5-tuples.

To restrict the protocol use the transport input command.

To restrict the source you use an ACL and vty access-class like you have done.

If you want to restrict to a certain IP/interface you have a couple of options-

Control Plane Protection
1. http://packetpros.com/control-plane-protection-cppr/
Control Plane Policing
1. http://packetpros.com/copp-on-routers/
QoS
1. http://packetpros.com/secure-the-control-plane-with-qos/
ACL's

ip access-list extended BLOCK-SSH
deny tcp any 1.1.1.1 eq ssh
permit ip any any
interface fa0/0
ip access-group BLOCK-SSH in