Unable to Telent(Destination unreachable; gateway or host down )

Unanswered Question
May 14th, 2009
User Badges:

hi all

I need to restict telnet access to switches, mean i should able to telnet LAN Switches from core switch mangement vlan.

I have apllied ACL, but after applying ACL, i am able to ping access switch but i am unable to telnet, config is pasted below can some one help plz

On Core switch

int vlan 171

description Mgmt vlan

ip address


On access siwth i have apllied this config

access-list 110 permit ip any

access-list 110 deny ip any any log

And on vlan interface i have apllied this

int vla171

ip aceess group 110 in

after this iam able to pin access switch from the core but uanble to telnet

erros pasted below


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms



Trying ...

% Destination unreachable; gateway or host down

Please help me on the same

srinivas sagar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Thu, 05/14/2009 - 05:41
User Badges:
  • Cisco Employee,


ACL on an interface impact all the traffic received or sent over this interface.

If you want to restrict telnet connection, you need to apply your ACL on the VTY lines which terminate Telnet session received from any interface. It avoids you to deploy this ACL on all your physical interfaces.

So the configuration should be like this (after ACL 110 is removed):

access-list 10 permit


line vty 0 4

access-class 10 in


Only standard ACL is supported which makes sence as we filter only the source IP.



adhityakarthik Thu, 05/14/2009 - 05:49
User Badges:


Thanks for the update,

but the client requirement is to apply on management vlan and also

allow other serivices such snmp and tacaccs

please advice on the same


Laurent Aubert Thu, 05/14/2009 - 08:14
User Badges:
  • Cisco Employee,

You can use the same ACL used for Telnet restriction to filter SNMP source IP as well:

access-list 10 permit


snmp-server community ro|rw 10


line vty 0 4

access-class 10 in


Only hosts belonging to your management VLAN can have Telnet and SNMP access to your device

For Tacacs, I agree you need an ACL on the interface:

ip access-list extended MGMT

permit udp any eq tacacs

permit tcp any eq tacacs

deny udp any any eq tacacs

deny tcp any any eq tacacs

permit ip any any


int vlan 171

ip access-group MGMT in


Using named ACL will allows you to update it very easily.




This Discussion