03-13-2017 01:16 AM - edited 03-08-2019 09:42 AM
Hi
Is it possible to use multiple vty access list to control access to the router on different vty instances ?
Example use standard access list 1 to restrict vty 0 4 and use access list 2 to restrict vty 5-6
We have this setup on multiple different router platforms, I thought the routers would be able to tell which access-list the source is allowed in and open that specific vty session/group but the router always uses the next available vty session. This happens across different platforms.
I haven't been able to find any cisco documentation around this limitation
Example config
line vty 0 4
session-timeout 10 output
access-class 1 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh
line vty 5 6
session-timeout 10 output
access-class 2 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh
access-list 1 remark RANGE for USERS-X
access-list 1 permit x.x.x.x 0.0.0.255
access-list 1 deny any log
access-list 2 remark RANGE for USERS-Y
access-list 2 permit y.y.y.y
access-list 2 deny any log
Thanks
Solved! Go to Solution.
03-14-2017 12:51 AM
Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.
03-13-2017 11:10 PM
That wont work. Use aaa and username/password instead.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
If you are using a modern router:
username <user1> privilege 15 algorithm-type scrypt secret <password>
Of if you are using an older router:
username <user1> privilege 15 secret <password>
03-14-2017 12:48 AM
Agreed that would work.
Why would the other option using multiple vty instances not work
03-14-2017 12:51 AM
Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.
03-14-2017 03:30 AM
Thanks
03-14-2017 04:19 AM
Hello
FYI - You CAN pick a vty line to access but again it would still be available for when you dont specify it also.
Example:
line vty 0 2
transport preferred none
transport input none
line vty 3
transport preferred none
transport input telnet
login local
line vty 4
transport preferred none
transport input telnet
rotary 127
access-class 10 in
login local
telnet x.x.x.x 3127 < now you will hit vty4 each time)
telnet x.x.x.x < it will also be available, but you may or may not hit vty 3 or 4)
res
Paul
10-18-2018 07:52 AM
You'd have to go with Juniper if you want this type of control.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide