cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36544
Views
38
Helpful
19
Replies

access list on line vty

sharma16031981
Level 1
Level 1

hi,

I have one L3 switch with two vlan interfaces 10.1.1.1 and 20.1.1.1. On the same switches two hosts are there in each vlan. Now I want that only 10.1.1.11 can telnet the switch from the vlan interface IP's (10.1.1.1 and 20.1.1.1)

I wrote access list

access-list 101 permit tcp host 10.1.1.11 host 10.1.1.1 eq 23

access-list 101 permit tcp host 10.1.1.11 host 20.1.1.1 eq 23

and applied it as

line vty 0 4

access-class 101 in

but none of the host is able to connect to switch but if I apply that as access-class 101 out then both systems get access.

None of the direction is achieving the goal and I want to use exteneded list only becaue when I use std list as access-list 1 permit 10.1.1.1 and apply to line as access-class 1 in goal is achived..

Please suggest abt the extended list behavioue to perform this task

thanks !!!

1 Accepted Solution

Accepted Solutions

Hello Hermant,

I made a search in netpro using topright search button.

most of examples provided by colleagues use an any destination when using extended ACL in access-class in command

I'm afraid this is a limitation on using extended ACLs for access-class.

I remember a thread where Rick Burts explained this.

I usually configure a standard ACL for access-class.

see this from John Blakley

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd3247b/6#selected_message

Hope to help

Giuseppe

View solution in original post

19 Replies 19

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Hemant,

you can use a standard ACL to restrict telnet access on vtys

access-list 11 permit host 10.1.1.11

line vty 0 4

access-class in

this automatically allows telnet to all IP addresses of multilayer switch from source 10.1.1.11/32

usually we allow telnet connections from NOC IP subnets

Hope to help

Giuseppe

Dear friend,

that I am able to do but it is not happening with extended list I want that 10.1.1.11 can only telnet the switch not ssh etc

Please suggest what changes needs to be done in the extended list in my last post

Thanks !!!

If you don't want ssh just use "transport input telnet" on the vty's this will disallow SSH .

Thanks for the suggestion !!!

Now is there any workaround to use extended access list to use for telnet. please refer to my first post where i have written the whole configuration.

Is there anyone who can reply on my first post to implement ext acces list on vty !!!

Hello Hermant,

try this

access-list 111 permit tcp host 10.1.1.1 any eq 23

to see if in this way you can limit access to telnet only and to specified host.

Glen's suggestion is valid: if you don't want to use SSH you can do in that way.

Hope to help

Giuseppe

buddy,

you mean to say if host is 10.1.1.11 then

access-list 111 permit tcp host 10.1.1.11 any eq 23

So, now i am able to telnet the switch from both vlan interfaces. Thanks for this.

Now what is the explaination of any in the acl above, also if i am applying ext acl why i cannot use int ip 10.1.1.1 or 60.1.1.1 in place of any.

or

what if I want this host 10.1.1.11 to telnet through 10.1.1.1 only not through 60.1.1.1

or if you donot mind, could you share you email ID so that we can chat !!!

Thanks and waiting for your support

Hi,

Please extend your valuable support

Thanks,

Hello Everyone,

Please help me in this problem

Thanks !

No one seems to give the answer to this !!!

Hello Hermant,

I made a search in netpro using topright search button.

most of examples provided by colleagues use an any destination when using extended ACL in access-class in command

I'm afraid this is a limitation on using extended ACLs for access-class.

I remember a thread where Rick Burts explained this.

I usually configure a standard ACL for access-class.

see this from John Blakley

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd3247b/6#selected_message

Hope to help

Giuseppe

Giuseppe

Thank you for remembering my discussion of this. I do not remember that specific post but will lay out the issues again.

The optimum solution for access-class applied on vty is to use a standard access list. It is possible to use an extended access list in the access-class but when you do the "destination" address must be any (which sort of defeats the purpose of using extended access lists).

While an extended access list can specify more specific addresses as source and destination when used in access-group on an interface (where it sees traffic with valid, specific source and destination addresses) it does not work that way in access-class on the vty. The reason for this has to do with how the access-class is implemented. One of the advantages of access-class is that it works on remote access to the vty ports. It does not matter which interface the request arrived on (what was the destination address) so there is no evaluation of the destination address in access-class only evaluation of the source address. So if you attempt to use an extended access list with a specific destination address it will not create a match in the logic of access-class.

HTH

Rick

HTH

Rick

Hello Rick,

thanks for your clear explanation.

I remembered that thread because I had learned about extended ACLs on vty on it.

I've never tried to use extended ACLs with access-class so I couldn't provide an explanation.

I'm satisfied with it and I hope also the original poster will be.

Best Regards

Giuseppe

“The reason for this has to do with how the access-class is implemented.”

Hello Giuseppe & Rick,

Thanks for a nice discussion

Though Rick has already answered the question.

Was just wondering can this be a reason why access-class is implemented this way.

Lets assume there are 2 routers A & B (A-B) and both are connected with more than one link say 2. I have a host connected to router A and want to telnet router B. I have defined an extended list on access class with only one IP address of the router B.

Interface (whose IP address is defined in access list) is down then because of implicit deny at the end of access list I cannot login to router B though I have another link to reach router B.

I am thinking Cisco have saved guys from getting in trouble if by mistake they apply an extended list this way and then have caught up in situation like this where they cannot login to a remote router.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: