09-02-2016 11:49 PM - edited 03-08-2019 07:17 AM
Hi all,
I have a problem with extended ACL permitting telneting from any host to only one router interface. After couple of hours of going mental, I found this in Cisco documentation:
By design, access-class only matches the source IP address of the access-list. Access-class allows access to the router as a whole, not access to the router only on a particular router address.
The question is: How can I set extended ACL to allow telnet to only one router interface/ IP address?
permit
Appreciate any help.
Solved! Go to Solution.
09-03-2016 05:06 AM
Yes it can not be done.
09-03-2016 01:43 AM
Hi;
Is there any reason to restrict your telnet session to specific IP Address/interface of router?
To restrict the telnet the best option is applying access-class on vty line.
For your requirement you need to apply the acl on all the interface and permit/deny telnet request but on other end all the traffic is inbound to router will check the packet with reference to telnet which overload the CPU of router.
Thanks & Best regards;
09-03-2016 01:54 AM
Thank you for your reply.
I am not concerned about router resources being overloaded. At this stage I am more into the mode "is this even possible?" What you are suggesting is a workaround and sure, if my original plan doesn't work, I can try that. But, is this possible or Cisco is right when saying:
By design, access-class only matches the source IP address of the access-list. Access-class allows access to the router as a whole, not access to the router only on a particular router address.
09-03-2016 04:09 AM
Hi Josip;
Technically speaking you can restrict Router telnet session on specific address / interface by applying access-class on vty line. It's only check the source address and take decision either allow or drop. VTY lines are solely used to control inbound Telnet/SSH connections either coming from any interface.
To achieve your requirement is do able via applying the ACL on all the physical interface of Router and allow/drop telnet traffic for specific source/destination. But be remember by default the last statement of ACL is deny-all which will drop all the traffic. To avoid legitimate traffic to be drop you need to put allow all statement or allow all the trusted traffic.
Thanks & Best regards;
09-03-2016 04:20 AM
Thank you.
Based on Cisco documentation and your answer, extended ACL can not be used in a way that it is applied to
09-03-2016 05:06 AM
Yes it can not be done.
09-03-2016 06:52 PM
It is quite true that with access-class it is not possible to restrict telnet access to a particular router interface. If your requirement is to restrict access to a particular interface then you might want to look into Control Plane Policing, assuming that this feature is supported on your platform and its version of code.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide