Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
10
Helpful
3
Replies
Highlighted
saikchak1
Beginner
Beginner
‎12-28-2012 06:07 AM
‎12-28-2012 06:07 AM

vty access list

  Hi,

I am using a ASR9010 which currently has a vty access-list (it's an ipv4 access list ingress) only allowing certain ipv4 prefixes.

My question is, will a source address with an ipv6 address be allowed the vty access? If so how to stop it.

Currently the ASR9010 doesn't have any ipv6 configuration.

Best Regards

Saikat Chakraborty

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Alexei Kiritchenko
Cisco Employee
Cisco Employee
‎12-28-2012 06:29 AM
‎12-28-2012 06:29 AM

Hello Saikat,

We should use Management Plane Protection instead of ACL on VTY. There you can simultaneously configure IPv4 and IPv6

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/security/configuration/guide/b_syssec_cg42asr9k_chapter_0100.html

Regards,

/A

Reply
Highlighted
saikchak1
Beginner
Beginner
In response to Alexei Kiritchenko
‎12-28-2012 06:49 AM
‎12-28-2012 06:49 AM

Hi A,

Thanks for your prompt reply, MPP feature was a good read. But my customer is always conservative about changing config in a production router though I will propose it to them.

In the mean time, will a ipv6 source address be able to bypass the vty ipv4 access-list (this is current config)?

Best Regards

Saikat Chakraborty

Note: the ipv4 access list allows certain ipv4 access list and also currently the router has no ipv6 configuration as only ipv4 is used.

0 Helpful
Reply
Highlighted
Alexei Kiritchenko
Cisco Employee
Cisco Employee
In response to saikchak1
‎12-28-2012 06:56 AM
‎12-28-2012 06:56 AM

VTY access-lists are either v4 or v6, no combinations are allowed,  so we can limit either v4 or v6 ingress but not both.

Regards,

/A

Reply
Latest Contents
**New Episode** Cisco Champion Radio: S8|E9 Innovations to A...
Created by aalesna on 03-02-2021 08:04 PM
0
0
0
0
Cisco Champion Radio · S8|E9 Innovations to Achieve a Trustworthy Infrastructure How do you know for certain that a router in your network has not been altered with since you deployed it? Wouldn’t it be great if you can cryptographically challenge your r... view more
ASR9XX Rommon Upgrade
Created by mapandey on 02-18-2021 11:00 PM
0
0
0
0
IOS upgrade on asr9xx mandates rommon upgrades sometimes while they can be optional at other times. You may land up in unwanted situation if proper procedure is not followed during upgrades.   This article will include complete details about rommon ... view more
How to make sure to run latest FPD on NCS560
Created by dpacific on 02-08-2021 10:20 AM
0
0
0
0
The Need In some situation NCS560 RP become unresponsive after reload or powercycle. In many deployments NCS560 far edge, deployment is large and human intervention should be kept at minimum Engineering team have been working on a strategy to have functi... view more
BGP Churn Identification on IOS-XR: ASR9000 use-case
Created by Rajat Chauhan on 01-27-2021 05:30 AM
0
0
0
0
In simple terms, 'Route Churn' is defined as the 'rate of change of prefixes'. Different XR versions across 4.x to 7.x have differing behavior & support for the BGP churn handling and some enhancements made from 6.5.3 onwards (listed in appendix) mak... view more
Mirror active RP content to standby RP - XR 7.1.2 onwards
Created by narvenka on 01-24-2021 04:46 PM
0
0
0
0
  Introduction Prior to Cisco IOS XR Software Release 7.1.2, XR dual RP devices did not support file mirroring from active RP to standby RP. Administrators had to manually perform the task or use EEM scripts to sync files across active RP and stand... view more
Content for Community-Ad