Solved: using multiple VTY access lists to restrict access

Ahmed Dockrat · ‎03-13-2017

Hi

Is it possible to use multiple vty access list to control access to the router on different vty instances ?

Example use standard access list 1 to restrict vty 0 4 and use access list 2 to restrict vty 5-6

We have this setup on multiple different router platforms, I thought the routers would be able to tell which access-list the source is allowed in and open that specific vty session/group but the router always uses the next available vty session. This happens across different platforms.

I haven't been able to find any cisco documentation around this limitation

Example config

line vty 0 4
session-timeout 10 output
access-class 1 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh
line vty 5 6
session-timeout 10 output
access-class 2 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh

access-list 1 remark RANGE for USERS-X
access-list 1 permit x.x.x.x 0.0.0.255
access-list 1 deny any log

access-list 2 remark RANGE for USERS-Y
access-list 2 permit y.y.y.y
access-list 2 deny any log

Thanks

Philip D'Ath · ‎03-14-2017

Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.

View solution in original post

Philip D'Ath · ‎03-13-2017

That wont work. Use aaa and username/password instead.

aaa new-model
aaa authentication login default local
aaa authorization exec default local

If you are using a modern router:

username <user1> privilege 15 algorithm-type scrypt secret <password>

Of if you are using an older router:

username <user1> privilege 15 secret <password>

Ahmed Dockrat · ‎03-14-2017

Agreed that would work.

Why would the other option using multiple vty instances not work

Philip D'Ath · ‎03-14-2017

Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.

Ahmed Dockrat · ‎03-14-2017

Thanks

paul driver · ‎03-14-2017

Hello
FYI - You CAN pick a vty line to access but again it would still be available for when you dont specify it also.

Example:
line vty 0 2
transport preferred none
transport input none

line vty 3
transport preferred none
transport input telnet
login local

line vty 4
transport preferred none
transport input telnet
rotary 127
access-class 10 in
login local

telnet x.x.x.x 3127 < now you will hit vty4 each time)
telnet x.x.x.x < it will also be available, but you may or may not hit vty 3 or 4)

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

beaujns12 · ‎10-18-2018

You'd have to go with Juniper if you want this type of control.