Solved: Access to VTY

Daniel Graham · ‎12-04-2008

I have a switch with multiple vlans, each of which has its own IP address.

I want to limit connections to the switch VTY lines to only one source host and one DST switch ip on a particular vlan.

Is this possible by using access-class on the VTY lines?

Giuseppe Larosa · ‎12-04-2008

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them

access-list 11 permit host source

access-list 12 permit host destination

line vty 0 4

access-class 11 in

access-class 12 out

verify how many vtys are on your switch

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎12-04-2008

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them

access-list 11 permit host source

access-list 12 permit host destination

line vty 0 4

access-class 11 in

access-class 12 out

verify how many vtys are on your switch

Hope to help

Giuseppe

Daniel Graham · ‎12-04-2008

Excellent, didnt think of it like that. I tried using an extended access list and had no luck.

Thanks!

Giuseppe Larosa · ‎12-04-2008

hello Dan,

I may be wrong but I don't think access-class command supports extended acl

thanks for your kind marks

Hope to help

Giuseppe

Richard Burts · ‎12-04-2008

Giuseppe

Extended access lists for access class are much more cumbersome, but extended access lists are supported in the access class command. I have tested it and gotten it to work. But standard access lists are how access class was intended to work and are preferable.

HTH

Rick

HTH

Rick

Giuseppe Larosa · ‎12-04-2008

Thanks Rick

I have always used only standard ACLs

Best Regards

Giuseppe

Daniel Graham · ‎12-04-2008

Looks like newer versions do, but not positive.

Richard Burts · ‎12-05-2008

Guiseppe

You are qute welcome. Most of us just use standard access lists for access-class and it is the easy and best way. But it is worth knowing that extended access lists do also work.

Daniel

Your response sussgests that there might have been a behavior change about this. The behavior has been consistent in IOS for a very long time. access-class works with both standard access lists and with extended access lists. (I believe that my testing with them goes back to the days of 10.3)

HTH

Rick

HTH

Rick

Daniel Graham · ‎12-05-2008

I must have been wrong, my switch lets specify an extended access-list to an access-class statment.

I belive the way in which I was using it was the issue:

access-list 100 permit ip 10.0.0.0 0.0.0.255 host 10.1.1.1

line vty 0 4

access-class 100 in

it didnt matter what I put for destination address, unless it was 'any', it would always deny connection.

Must be the access-class in and out statements need to be used together once again -

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip any host 10.1.1.1

access-class 100 in

access-class 101 out

Richard Burts · ‎12-05-2008

Daniel

IOS will let you use an extended access list with access-class. But that does not mean that all of the parameters will operate as you might want them to. My experience was just as yours has been. You can use an extended access list for access-class in, but you can not get it to test for specific destination addresses. It only works when the destination address is any. My rationalization for why it works this way is that one of the great advantages of access-class is that it gives you a mechanism to control remote access to any of the addresses of the device, and since it automatically if processing for a variety of destination addresses, it will not process as expected if the access list specifies a specific address.

HTH

Rick

HTH

Rick