10-17-2009 12:39 PM - edited 03-06-2019 08:10 AM
hi,
I have one L3 switch with two vlan interfaces 10.1.1.1 and 20.1.1.1. On the same switches two hosts are there in each vlan. Now I want that only 10.1.1.11 can telnet the switch from the vlan interface IP's (10.1.1.1 and 20.1.1.1)
I wrote access list
access-list 101 permit tcp host 10.1.1.11 host 10.1.1.1 eq 23
access-list 101 permit tcp host 10.1.1.11 host 20.1.1.1 eq 23
and applied it as
line vty 0 4
access-class 101 in
but none of the host is able to connect to switch but if I apply that as access-class 101 out then both systems get access.
None of the direction is achieving the goal and I want to use exteneded list only becaue when I use std list as access-list 1 permit 10.1.1.1 and apply to line as access-class 1 in goal is achived..
Please suggest abt the extended list behavioue to perform this task
thanks !!!
Solved! Go to Solution.
10-20-2009 01:34 AM
Hello Hermant,
I made a search in netpro using topright search button.
most of examples provided by colleagues use an any destination when using extended ACL in access-class in command
I'm afraid this is a limitation on using extended ACLs for access-class.
I remember a thread where Rick Burts explained this.
I usually configure a standard ACL for access-class.
see this from John Blakley
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd3247b/6#selected_message
Hope to help
Giuseppe
10-17-2009 12:46 PM
Hello Hemant,
you can use a standard ACL to restrict telnet access on vtys
access-list 11 permit host 10.1.1.11
line vty 0 4
access-class in
this automatically allows telnet to all IP addresses of multilayer switch from source 10.1.1.11/32
usually we allow telnet connections from NOC IP subnets
Hope to help
Giuseppe
10-17-2009 12:51 PM
Dear friend,
that I am able to do but it is not happening with extended list I want that 10.1.1.11 can only telnet the switch not ssh etc
Please suggest what changes needs to be done in the extended list in my last post
Thanks !!!
10-17-2009 01:12 PM
If you don't want ssh just use "transport input telnet" on the vty's this will disallow SSH .
10-17-2009 01:16 PM
Thanks for the suggestion !!!
Now is there any workaround to use extended access list to use for telnet. please refer to my first post where i have written the whole configuration.
10-18-2009 08:46 AM
Is there anyone who can reply on my first post to implement ext acces list on vty !!!
10-18-2009 10:59 AM
Hello Hermant,
try this
access-list 111 permit tcp host 10.1.1.1 any eq 23
to see if in this way you can limit access to telnet only and to specified host.
Glen's suggestion is valid: if you don't want to use SSH you can do in that way.
Hope to help
Giuseppe
10-18-2009 11:18 AM
buddy,
you mean to say if host is 10.1.1.11 then
access-list 111 permit tcp host 10.1.1.11 any eq 23
So, now i am able to telnet the switch from both vlan interfaces. Thanks for this.
Now what is the explaination of any in the acl above, also if i am applying ext acl why i cannot use int ip 10.1.1.1 or 60.1.1.1 in place of any.
or
what if I want this host 10.1.1.11 to telnet through 10.1.1.1 only not through 60.1.1.1
or if you donot mind, could you share you email ID so that we can chat !!!
Thanks and waiting for your support
10-18-2009 12:19 PM
Hi,
Please extend your valuable support
Thanks,
10-19-2009 07:39 PM
Hello Everyone,
Please help me in this problem
Thanks !
10-20-2009 12:39 AM
No one seems to give the answer to this !!!
10-20-2009 01:34 AM
Hello Hermant,
I made a search in netpro using topright search button.
most of examples provided by colleagues use an any destination when using extended ACL in access-class in command
I'm afraid this is a limitation on using extended ACLs for access-class.
I remember a thread where Rick Burts explained this.
I usually configure a standard ACL for access-class.
see this from John Blakley
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd3247b/6#selected_message
Hope to help
Giuseppe
10-20-2009 10:06 AM
Giuseppe
Thank you for remembering my discussion of this. I do not remember that specific post but will lay out the issues again.
The optimum solution for access-class applied on vty is to use a standard access list. It is possible to use an extended access list in the access-class but when you do the "destination" address must be any (which sort of defeats the purpose of using extended access lists).
While an extended access list can specify more specific addresses as source and destination when used in access-group on an interface (where it sees traffic with valid, specific source and destination addresses) it does not work that way in access-class on the vty. The reason for this has to do with how the access-class is implemented. One of the advantages of access-class is that it works on remote access to the vty ports. It does not matter which interface the request arrived on (what was the destination address) so there is no evaluation of the destination address in access-class only evaluation of the source address. So if you attempt to use an extended access list with a specific destination address it will not create a match in the logic of access-class.
HTH
Rick
10-20-2009 11:10 AM
Hello Rick,
thanks for your clear explanation.
I remembered that thread because I had learned about extended ACLs on vty on it.
I've never tried to use extended ACLs with access-class so I couldn't provide an explanation.
I'm satisfied with it and I hope also the original poster will be.
Best Regards
Giuseppe
10-20-2009 05:18 PM
âThe reason for this has to do with how the access-class is implemented.â
Hello Giuseppe & Rick,
Thanks for a nice discussion
Though Rick has already answered the question.
Was just wondering can this be a reason why access-class is implemented this way.
Lets assume there are 2 routers A & B (A-B) and both are connected with more than one link say 2. I have a host connected to router A and want to telnet router B. I have defined an extended list on access class with only one IP address of the router B.
Interface (whose IP address is defined in access list) is down then because of implicit deny at the end of access list I cannot login to router B though I have another link to reach router B.
I am thinking Cisco have saved guys from getting in trouble if by mistake they apply an extended list this way and then have caught up in situation like this where they cannot login to a remote router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: