Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2641
Views
0
Helpful
4
Replies

VTY Extended ACL

mustafa.chapal
Level 1
Level 1

‎04-20-2017 09:51 AM - edited ‎03-08-2019 10:16 AM

I am trying to apply an access class but it is not working as expected. Please help

interface GigabitEthernet0/3.100

encapsulation dot1Q 100

ip address 1.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

ip verify unicast reverse-path

no cdp enable

!

interface GigabitEthernet0/3.101

encapsulation dot1Q 101

ip address 2.2.2.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

ip verify unicast reverse-path

no cdp enable

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh port 2222 rotary 1

ip ssh version 2

ip access-list extended vty

permit tcp any host 1.1.1.1 eq 2222

permit tcp 1.1.1.0 0.0.0.255 host 1.1.1.1 eq 22

deny   ip any any

line vty 0 4

access-class vty in

privilege level 15

rotary 1

transport input ssh

transport output none

Labels:
0 Helpful
4 Replies 4

Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎04-20-2017 10:47 AM

Hello Mustapha!

"it is not working as expected" So What do you want to do? What is the problem? From which Ip address are you trying to do the ssh session?

Regards,

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Diana Karolina Rojas

‎04-20-2017 11:00 AM

Hi

if im reading that right and its all on the same device your allowing an ip subnet that exists on the same router in the vty acl , you don't need to do that , the vty is for remote connectivity to the device , so you would allow subnets or hosts that don't exist on the router in the acl for the vty , wherever you may be trying to access the device from a local pc on the network or off the network that's the ip that needs to be included In the acl , so it is allowed inbound through the vty port to access the device

0 Helpful

mustafa.chapal
Level 1
Level 1
In response to Mark Malone

‎04-20-2017 11:09 AM

First, I want any IP to access the vty through ssh port 2222 on only this interface 0/3.100 IP 1.1.1.1

Second, I want only one internal network 1.1.1.0/24 to access the vty through ssh port 22 on both available interfaces 0/3.100 and 0/3.101 IP 1.1.1.1 and 2.2.2.2

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to mustafa.chapal

‎04-20-2017 11:20 AM

An access-class is not really the right place to restrict that. Take a look at Control Plane Protection and/or Control Plane Policing. If you really want to do it with just ACL's, then create an ACL and apply to the interface.

I believe the documentation states that extended ACL's are not allowed for access-class. That being said, it can be done, but there are some caveats.See this post for more info: https://supportforums.cisco.com/discussion/10756526/access-list-line-vty

HTH

0 Helpful
Customers Also Viewed These Support Documents