Access to VTY

Answered Question
Dec 4th, 2008
User Badges:

I have a switch with multiple vlans, each of which has its own IP address.


I want to limit connections to the switch VTY lines to only one source host and one DST switch ip on a particular vlan.


Is this possible by using access-class on the VTY lines?

Correct Answer by Giuseppe Larosa about 8 years 4 months ago

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them


access-list 11 permit host source


access-list 12 permit host destination


line vty 0 4

access-class 11 in

access-class 12 out


verify how many vtys are on your switch


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Giuseppe Larosa Thu, 12/04/2008 - 13:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them


access-list 11 permit host source


access-list 12 permit host destination


line vty 0 4

access-class 11 in

access-class 12 out


verify how many vtys are on your switch


Hope to help

Giuseppe


Daniel Graham Thu, 12/04/2008 - 13:15
User Badges:

Excellent, didnt think of it like that. I tried using an extended access list and had no luck.


Thanks!

Giuseppe Larosa Thu, 12/04/2008 - 13:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

hello Dan,

I may be wrong but I don't think access-class command supports extended acl


thanks for your kind marks


Hope to help

Giuseppe


Richard Burts Thu, 12/04/2008 - 13:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Giuseppe


Extended access lists for access class are much more cumbersome, but extended access lists are supported in the access class command. I have tested it and gotten it to work. But standard access lists are how access class was intended to work and are preferable.


HTH


Rick

Giuseppe Larosa Thu, 12/04/2008 - 23:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Thanks Rick

I have always used only standard ACLs



Best Regards

Giuseppe


Richard Burts Fri, 12/05/2008 - 09:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Guiseppe


You are qute welcome. Most of us just use standard access lists for access-class and it is the easy and best way. But it is worth knowing that extended access lists do also work.


Daniel


Your response sussgests that there might have been a behavior change about this. The behavior has been consistent in IOS for a very long time. access-class works with both standard access lists and with extended access lists. (I believe that my testing with them goes back to the days of 10.3)


HTH


Rick

Daniel Graham Fri, 12/05/2008 - 09:53
User Badges:

I must have been wrong, my switch lets specify an extended access-list to an access-class statment.


I belive the way in which I was using it was the issue:


access-list 100 permit ip 10.0.0.0 0.0.0.255 host 10.1.1.1


line vty 0 4

access-class 100 in


it didnt matter what I put for destination address, unless it was 'any', it would always deny connection.


Must be the access-class in and out statements need to be used together once again -


access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip any host 10.1.1.1


access-class 100 in

access-class 101 out




Richard Burts Fri, 12/05/2008 - 10:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Daniel


IOS will let you use an extended access list with access-class. But that does not mean that all of the parameters will operate as you might want them to. My experience was just as yours has been. You can use an extended access list for access-class in, but you can not get it to test for specific destination addresses. It only works when the destination address is any. My rationalization for why it works this way is that one of the great advantages of access-class is that it gives you a mechanism to control remote access to any of the addresses of the device, and since it automatically if processing for a variety of destination addresses, it will not process as expected if the access list specifies a specific address.


HTH


Rick

Actions

This Discussion