05-22-2018 02:27 PM - edited 03-08-2019 03:06 PM
Dears,
I m trying to restrict the VTY access by an extended access-list , whenever I specify the extended access-list with source and destination and port number on a VTY lines, it doesn't work, when I remove the port number it works fine, what is missing from me.
Solved! Go to Solution.
05-22-2018 05:32 PM
05-23-2018 02:28 PM
If you think about it one of the features of putting ACL on line vty (access-class) is that it controls access no matter which interface of the device was used for access. So it is really not checking destination address, which is equivalent to permit any for the destination.
If you get into something like control plane policing you can create policies that control based on destination address. But as long as you are using ACL on vty I would not ever expect that an extended access list specifying destination would work.
HTH
Rick
05-22-2018 04:00 PM
Hi,
here is a similar post that may assist you further;
https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-on-line-vty/td-p/1252237
05-22-2018 05:32 PM
05-23-2018 12:57 PM
Thanks for both of you,
I made a writing in the post instead of destination address I have written a port number ( ssH) hence when I enter a destination it was not working.
I have been to these post's before posting hence they were very old so I thought lets put it again to see if anything as changed in the new IOS architecture but still I m getting the same replies,
so u both are confirming that no solution has been still for the destination address in the ext ACL when applied to the VTY lines.
thanks
05-23-2018 02:28 PM
If you think about it one of the features of putting ACL on line vty (access-class) is that it controls access no matter which interface of the device was used for access. So it is really not checking destination address, which is equivalent to permit any for the destination.
If you get into something like control plane policing you can create policies that control based on destination address. But as long as you are using ACL on vty I would not ever expect that an extended access list specifying destination would work.
HTH
Rick
05-23-2018 02:36 PM
Dears,
+5 to all 3 of you.
thanks
05-24-2018 02:15 PM
You are welcome. Thank you for the helpful vote and for marking this question as solved.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide