Seperate ACL's for Seperate VTY Groups

mccauleyjm · ‎10-01-2015

I am looking into the possibility of applying separate ACL's to separate VTY groups.

It sounds theoretically possible, but I do not have a lab to mock it up in to test.

The current issue is various tools sucking up VTY resources and not leaving much for the engineers to use for management.

sample proposed solution:

///////

ip access-list Tools_Access

permit ip x.x.x.x log

deny any log

ip access-list MGMT_Access

permit ip x.x.x.x log

deny any log

line vty 0 4

ip access-class Tools_Access in

line vty 5 15

ip access-class MGMT_Access in

/////

my fear is not being able to dynamically access VTY's 5-15 if/when VTY's 0-4 are not already used up ... because I do not know if VTY port assignments are strictly sequential, first available, or some sort of smart assignment.

... thoughts?

Ganesh Hariharan · ‎10-04-2015

Hi,

I never tested the above setup but I know this is possible with ip address selection. As far as i know devices selects sty connection in a random way and its have no sense.

So my view is if the administrator sitting on specified ip address and knows the password it will be permitted if password is right based on acl acceptance.

Hope it Helps

-GI

Rate if it Helps.

nspasov · ‎10-06-2015

You can utilize rotary groups. Check out the thread below. It is not exactly related to the topic that you are discussing here but it should give you an idea of what I am talking about :)

https://supportforums.cisco.com/discussion/11721671/how-change-ports-access

Thank you for rating helpful posts!