Solved: VTY - Access Lists

simoesmarco8626982 · ‎12-16-2021

Hi all,

Hope to find everyone well.

I'm trying to implement some access-list on the VTY lines to restrict access only to a certain range of IP addresses but everytime I create the access list and apply it using the access-class command I end up locking myself out and not even the IP addresses that I configured have access.

I'm doing the following config.

ip access-list standard SWITCH_ACCESS

permit ip 10.1.0.0 0.0.128.255

deny any

Then on the VTY lines:

access-class SWITCH_ACCESS in

By doing this the switch automatically blocks all the IP addresses from accessing the switch and I can't understand why

Any guesses please?

Thank you

Karsten Iwen · ‎12-16-2021

There is a syntax error in the ACL which results in an empty "deny any" ACL. Likely you want this ACL:

ip access-list standard SWITCH_ACCESS
  permit 10.1.0.0 0.0.127.255

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎12-16-2021

There is a syntax error in the ACL which results in an empty "deny any" ACL. Likely you want this ACL:

ip access-list standard SWITCH_ACCESS
  permit 10.1.0.0 0.0.127.255

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

simoesmarco8626982 · ‎12-16-2021

Thank you very much Karsten, all working now

cmarva · ‎12-16-2021

in addition to Karsten's response, if this device has a vrf aware mgmt interface, and that is what you are using, you will also need to include vrf-also in your access-class statement

Shorty · ‎12-10-2024

Thank you. That was my issue.