Solved: access-class confusion

AdamBudzinski · ‎02-28-2017

hi guys,

I'm wondering why we have to use the access-class command to apply an ACL to a VTY line to restrict telnet / ssh access. I know that the VTY's are in software and are not physically bounded to a particular interface but wouldn't be placing an ACL with the access-group command to an interfcae bloc the unwanted traffic already ?

Tanks

Karsten Iwen · ‎02-28-2017

Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.

But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.

View solution in original post

Karsten Iwen · ‎02-28-2017

Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.

But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.

AdamBudzinski · ‎03-01-2017

Thank you Karsten. So I would create an ACL (standard or extended) to restrict Telnet / SHH traffic and not assign it to a particular physical interface but with the access-class to the VTY lines, right ?

Karsten Iwen · ‎03-01-2017

Right! Typically, standard ACLs are used as you just filter on the source-IP of the SSH/Telnet-user.

AdamBudzinski · ‎03-01-2017

Thank you very much, I appreciate your help.

Best Regards

Adam