- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2017 02:07 PM - edited 03-08-2019 09:32 AM
hi guys,
I'm wondering why we have to use the access-class command to apply an ACL to a VTY line to restrict telnet / ssh access. I know that the VTY's are in software and are not physically bounded to a particular interface but wouldn't be placing an ACL with the access-group command to an interfcae bloc the unwanted traffic already ?
Tanks
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2017 03:02 PM
Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.
But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2017 03:02 PM
Yes it would. And depending on your scenario it could be the better approach to secure access to your ssh/telnet lines.
But imagine a router with plenty interfaces and different ACL-requirements per interface. Managing access to the router can be challenging in this scenario. And when adding more interfaces, you should not forget to place an ACL to that interface. All that can be much easier with the service-specific ACLs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2017 01:05 AM
Thank you Karsten. So I would create an ACL (standard or extended) to restrict Telnet / SHH traffic and not assign it to a particular physical interface but with the access-class to the VTY lines, right ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2017 01:16 AM
Right! Typically, standard ACLs are used as you just filter on the source-IP of the SSH/Telnet-user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2017 01:19 AM
Thank you very much, I appreciate your help.
Best Regards
Adam
