Solved: telnet and extended acl

sarahr202 · ‎08-06-2009

Hi every body.

My bookshows how a standard access list can be used to control telnet acesss.

I am just wondering if we can use extended acces list instead of standard access list.

Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?

thanks a lot.

Jon Marshall · ‎08-06-2009

Sarah

"Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?"

You would still only use a standard acl ie.

access-list 1 permit 198.198.198.0 0.0.0.255

An extended acl is used when you want to specify both src/dst IP and/or TCP/UDP ports but they don't make any sense in this scenario ie.

the destination IP address is not relevant here and you don't need to specify the ports.

Jon

View solution in original post

Peter Paluch · ‎08-06-2009

Hello,

I assume we are talking about ACLs applied onto the VTY lines using the command access-class.

Well, an extended ACL can be used here exactly as the standard ACL. Note that every standard ACL can be translated to an extended ACL simply by specifying "any" recipient. So for your example, this would be the configuration:

access-list 100 permit ip 198.198.198.0 0.0.0.255 any

line vty 0 4

access-class 100 in

or perhaps if you wanted to limit only the telnet access from the specified network and leave the SSH open from all locations:

access-list 100 permit tcp 198.198.198.0 0.0.0.255 any eq 23

access-list 100 permit tcp any any eq 22