Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
15
Helpful
6
Replies

line vty access-list SSH port

Go to solution
adamgibs7
Level 6
Level 6

‎05-22-2018 02:27 PM - edited ‎03-08-2019 03:06 PM

Dears,

I m trying to restrict the VTY access by an extended access-list , whenever I specify the extended access-list with source and destination and port number on a VTY lines, it doesn't work, when I remove the port number it works fine, what is missing from me.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to adamgibs7

‎05-23-2018 02:28 PM

If you think about it one of the features of putting ACL on line vty (access-class) is that it controls access no matter which interface of the device was used for access. So it is really not checking destination address, which is equivalent to permit any for the destination.

 

If you get into something like control plane policing you can create policies that control based on destination address. But as long as you are using ACL on vty I would not ever expect that an extended access list specifying destination would work.

 

HTH

 

Rick

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
mattjones03
Level 1
Level 1

‎05-22-2018 04:00 PM

Hi,

 

here is a similar post that may assist you further;

 

https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-on-line-vty/td-p/1252237

 

Go to solution
adamgibs7
Level 6
Level 6
In response to Meheretab Mengistu

‎05-23-2018 12:57 PM

Thanks for both of you,

 

I made a writing in the post instead of destination address I have written a port number ( ssH) hence when I enter a destination it was not working.

 

I have been to these post's before posting hence they were very old so I thought lets put it again to see if anything as changed in the new IOS architecture but still I m getting the same replies,

 

so  u both are confirming that no solution has been still for the destination address in the ext ACL when applied to the VTY lines.

 

thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to adamgibs7

‎05-23-2018 02:28 PM

If you think about it one of the features of putting ACL on line vty (access-class) is that it controls access no matter which interface of the device was used for access. So it is really not checking destination address, which is equivalent to permit any for the destination.

 

If you get into something like control plane policing you can create policies that control based on destination address. But as long as you are using ACL on vty I would not ever expect that an extended access list specifying destination would work.

 

HTH

 

Rick

HTH

Rick

Go to solution
adamgibs7
Level 6
Level 6
In response to Richard Burts

‎05-23-2018 02:36 PM

Dears,

 

+5 to all 3 of you.

 

thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to adamgibs7

‎05-24-2018 02:15 PM

You are welcome. Thank you for the helpful vote and for marking this question as solved.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card