08-05-2007 05:31 AM - edited 03-03-2019 06:11 PM
whats the difference between
>access-class 3 in
and
>ip access-group 3 in
and why i have to use access-class on vty connections?
Solved! Go to Solution.
08-05-2007 08:28 AM
yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).
As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .
HTH
Jorge
08-05-2007 05:48 AM
Hi,
access-class is used to define, generally by source-address, which remote systems are allowed to connect via telnet or ssh to your device.
access-group specifies instead an ACL for packets allowed to traverse an interface, independently from the fact these are destined to the router or not.
hope this helps, please rate post if it does!
08-05-2007 05:56 AM
sorry but i dont understand -
why can't i use >ip access-group in the first case too?
08-05-2007 06:01 AM
You can, but access-class is made specifically for the purpose, and it's easier to configure and understand when reading the configuration.
So you can still limit remote access to the router but you do not have ACL under interface in case you don't need them for other purposes.
As an appreciation to those providing answers,please rate useful posts using the scrollbox below!
08-05-2007 07:04 AM
so with access-class i can block the access of all those people who are trying to telnet to the router - that's what it is for?
and what about telneting from the router? can i limit that too with access-class?
08-05-2007 08:23 AM
Yes.
To limit telnet from the router you would use an access-group under interface.
Please remember to rate useful posts!
08-05-2007 08:28 AM
yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).
As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .
HTH
Jorge
08-05-2007 01:46 PM
I must disagree with my colleagues Paolo and Jorge. Access-class can be applied both inbound and outbound. When access-class is applied inbound it limits telnet (or SSH or whatever remote access method) TO the router and when access-class is applied outbound it limits telnet etc FROM the router. It is not necessary to use access-group on interfaces to limit outbound telnet and is much easier and more efficient to use access-class out.
HTH
Rick
08-05-2007 02:27 PM
Good, thanks for correcting me Rick.
I had forgotten. So many features, so little brain to memorize them all.
08-05-2007 02:40 PM
Also, isn't ACL access-group skipped for packets originated from the router? Even if applied on the interface. Today I tried blocking outgoing icmp ttl-exceeded messages, and stumbled that whatever ACL I write, packets happily leave the router, although interface prevents them from doing so. All debugs shows that i am doing the correct thing, and when somebody else originates the packet type i am blocking, it is really blocked.
But not packets originating from the router.
08-05-2007 05:30 PM
Pavlo
You raise an excellent point - which I had not thought about in my previous post. An ACL applied outbound (with access-group out) will filter only traffic that goes through the router but will not filter traffic that originates on the router. This is an aspect of ACL that many people are slow to recognize and I am glad that you have figured it out. And you are quite correct that access-group out will not be effective in controlling outbound telnet. So the only solution that really works is access-class out.
HTH
Rick
08-05-2007 02:44 PM
Rick is correct, telnet restriction can be effectivately apllied for inbound/outbound with access-class (in) and/or (out)
I missunderstood the poester second question !
"and what about telneting from the router? can i limit that too with access-class? "
08-06-2007 01:50 AM
what i meant is when you issue a telnet from your router to some host or other router.
but its alright because Rick had already answered on that in his previous post.
thanks a lot guys you really helpful!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide