telnet and extended acl

Answered Question
Aug 6th, 2009

Hi every body.

My bookshows how a standard access list can be used to control telnet acesss.

I am just wondering if we can use extended acces list instead of standard access list.

Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?

thanks a lot.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 5 months ago

Sarah

"Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?"

You would still only use a standard acl ie.

access-list 1 permit 198.198.198.0 0.0.0.255

An extended acl is used when you want to specify both src/dst IP and/or TCP/UDP ports but they don't make any sense in this scenario ie.

the destination IP address is not relevant here and you don't need to specify the ports.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Thu, 08/06/2009 - 14:02

Hello,

I assume we are talking about ACLs applied onto the VTY lines using the command access-class.

Well, an extended ACL can be used here exactly as the standard ACL. Note that every standard ACL can be translated to an extended ACL simply by specifying "any" recipient. So for your example, this would be the configuration:

access-list 100 permit ip 198.198.198.0 0.0.0.255 any

line vty 0 4

access-class 100 in

or perhaps if you wanted to limit only the telnet access from the specified network and leave the SSH open from all locations:

access-list 100 permit tcp 198.198.198.0 0.0.0.255 any eq 23

access-list 100 permit tcp any any eq 22

line vty 0 4

access-class 100 in

There's really nothing so special to it.

Best regards,

Peter

Correct Answer
Jon Marshall Thu, 08/06/2009 - 14:03

Sarah

"Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?"

You would still only use a standard acl ie.

access-list 1 permit 198.198.198.0 0.0.0.255

An extended acl is used when you want to specify both src/dst IP and/or TCP/UDP ports but they don't make any sense in this scenario ie.

the destination IP address is not relevant here and you don't need to specify the ports.

Jon

Actions

This Discussion