cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1518
Views
5
Helpful
4
Replies

access-class confusion

AdamBudzinski
Level 1
Level 1

hi guys,

I'm wondering why we have to use the access-class command to apply an ACL to a VTY line to restrict telnet / ssh access. I know that the VTY's are in software and are not physically bounded to a particular interface but wouldn't be placing an ACL with the access-group command to an interfcae bloc the unwanted traffic already ? 

Tanks 

1 Accepted Solution

Accepted Solutions

Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.

But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.

View solution in original post

4 Replies 4

Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.

But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.

Thank you Karsten. So I would create an ACL (standard or extended) to restrict Telnet / SHH traffic and not assign it to a particular physical interface but with the access-class to the VTY lines, right ? 

Right! Typically, standard ACLs are used as you just filter on the source-IP of the SSH/Telnet-user.

Thank you very much, I appreciate your help. 

Best Regards

Adam 

Review Cisco Networking for a $25 gift card