cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
12
Helpful
12
Replies

access-class question

milkdroogy
Level 1
Level 1

whats the difference between

>access-class 3 in

and

>ip access-group 3 in

and why i have to use access-class on vty connections?

1 Accepted Solution

Accepted Solutions

yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).

As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .

HTH

Jorge

Jorge Rodriguez

View solution in original post

12 Replies 12

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

access-class is used to define, generally by source-address, which remote systems are allowed to connect via telnet or ssh to your device.

access-group specifies instead an ACL for packets allowed to traverse an interface, independently from the fact these are destined to the router or not.

hope this helps, please rate post if it does!

sorry but i dont understand -

why can't i use >ip access-group in the first case too?

You can, but access-class is made specifically for the purpose, and it's easier to configure and understand when reading the configuration.

So you can still limit remote access to the router but you do not have ACL under interface in case you don't need them for other purposes.

As an appreciation to those providing answers,please rate useful posts using the scrollbox below!

so with access-class i can block the access of all those people who are trying to telnet to the router - that's what it is for?

and what about telneting from the router? can i limit that too with access-class?

Yes.

To limit telnet from the router you would use an access-group under interface.

Please remember to rate useful posts!

yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).

As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .

HTH

Jorge

Jorge Rodriguez

I must disagree with my colleagues Paolo and Jorge. Access-class can be applied both inbound and outbound. When access-class is applied inbound it limits telnet (or SSH or whatever remote access method) TO the router and when access-class is applied outbound it limits telnet etc FROM the router. It is not necessary to use access-group on interfaces to limit outbound telnet and is much easier and more efficient to use access-class out.

HTH

Rick

HTH

Rick

Good, thanks for correcting me Rick.

I had forgotten. So many features, so little brain to memorize them all.

Also, isn't ACL access-group skipped for packets originated from the router? Even if applied on the interface. Today I tried blocking outgoing icmp ttl-exceeded messages, and stumbled that whatever ACL I write, packets happily leave the router, although interface prevents them from doing so. All debugs shows that i am doing the correct thing, and when somebody else originates the packet type i am blocking, it is really blocked.

But not packets originating from the router.

Pavlo

You raise an excellent point - which I had not thought about in my previous post. An ACL applied outbound (with access-group out) will filter only traffic that goes through the router but will not filter traffic that originates on the router. This is an aspect of ACL that many people are slow to recognize and I am glad that you have figured it out. And you are quite correct that access-group out will not be effective in controlling outbound telnet. So the only solution that really works is access-class out.

HTH

Rick

HTH

Rick

Rick is correct, telnet restriction can be effectivately apllied for inbound/outbound with access-class (in) and/or (out)

I missunderstood the poester second question !

"and what about telneting from the router? can i limit that too with access-class? "

Jorge Rodriguez

what i meant is when you issue a telnet from your router to some host or other router.

but its alright because Rick had already answered on that in his previous post.

thanks a lot guys you really helpful!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: