RouterSim Access List Practice Lab

Unanswered Question
Jan 30th, 2008

Hello guys. I am practising with CCNA Network visualizer 6.0. In one of its labs..the Access List CCNA Practice sim..why cant we simply put a deny access list on the vty terminal inbound on router A. I've tried it and it works but the solution in the simulator makes me put an access list on each interface...I'm confused...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

Hi There

Not everyone on here will have the CCNA Network Visualizer, so we have of knowing about the labs offered with this product.

You would need to provide a little more information about what task the lab is trying to achieve before we could answer you question or give a possible explanation as to why the lab used the configuration that it did.

Best Regards,


uzmausmani Wed, 01/30/2008 - 20:09

I'm sorry..The question here is to prevent everyone from having telnet access to Router A on any interface. Router B is connected via the s 0/0 interface and Router C is connected to Router A through Router C. There are two hosts connected via a switch to e 0/0 on Router A. The solution to the problem as stated in the lab is given as creating an access list and applying it on the each of Router A's interfaces as shown below

2600A(config)#access-list 110 deny tcp any eq 23

2600A(config)#access-list 110 deny tcp any eq 23

2600A(config)#access-list 110 permit ip any any

2600A(config)#interface serial0/0

2600A(config-if)#ip access-group 110 in

2600A(config-if)#interface fa0/0

2600A(config-if)#ip access-group 110 out

My question is instead of going through so much trouble, cant we simply apply an access list with deny all and apply it on the vty port on Router A? I've tried to do that and it works just fine. so if a similar question comes in the CCNA exam which way am I supposed to do it..or which is the cisco way of doing it?

Istvan_Rabai Wed, 01/30/2008 - 21:17

Hi Uzma,

There is a way:

If you delete the password ("no password...", "no login") for telnet access under "line vty 0 4", no one will be able to telnet into the router through any interface.

If you already have a password and you want to restrict traffic temporarily without deleting the password, specify an access-list denying any traffic, like:

access-list 1 deny any

Apply it to the vtys:

line vty 0 4

access-class 1 in



uzmausmani Thu, 01/31/2008 - 06:33

Yes I have tried to do that and it works..but my question was which way would cisco accept in the CCNA exam...?

Hi There

Ok, I am a little confused. You say that the object of the lab is to prevent everyone having telnet access to the router on any interface.

By this I take it to mean that you must deny anybody telnetting to any of the IP addresses assigned to the router interfaces and getting a login or password prompt from the router.

If this was the objective, I would as you mentioned, configure and apply an access list to the vty lines. However in the real world you will not alwaysbe in the same location as the routers you administer, so it would be more realistic to create an access list to permit the IP address of the administrators workstation(s) to have SSH access (more secure than telnet) to the router and deny all access for everyone else.

In the access list configuration provide in your second post, unless you made a typo, this access list may not meet the criteria of preventing telnet access to the router for everyone, depending on the actual topology (which is not clear from the description).

On the interface F0/0, the access list is applied to outgoing traffic. This means that telnet traffic originated ON the router could not exit interface F0/0 but you could still telnet TO the IP address assigned to this interface and gain access to the router, once you have the correct password.

Also the access lists as presented are not only preventing access to the router. It is preventing telnet access to the entire and subnets. This could block potentially normal telnet traffic to hosts which reside on these subnets. It's kind of Sledge hammer to crack a nut approach, IMHO.

Just my 2 cents worth.

Best Regards,


a.cruea1980 Fri, 02/01/2008 - 07:22

You apply it to the interface because it's more efficient that way.

Basically, if a packet hits port 23 and the interface is to deny it, no processing is done on the packet.

However, if a packet hits port 23, but your VTY denies it, the router is analyzing the packet, then discarding it.

General rule of thumb is to cut off traffic as soon as you can, which is on the interface closest to the traffic you're denying.

Also keep in mind, if you deny at the vty, you can't set up the loopback for telnet/ssh access, nor would you be able to dial in, so you've essentially cut yourself off from remote management.

[edit]And not to mention, if you cut off access at the VTY, when someone port scans your router, they see port 23 open and can begin trying exploits.


This Discussion