Restricting telnet/ssh access to loopback address

Unanswered Question
Sep 21st, 2009


I've been requested to restrict telnet/ssh access to the loopback address only.

I've been attempting to do this using access lists however the access lists either block access to all interfaces or allows access to no interfaces.

Any and all help in this is appreciated.

Below are the configs I have been trying. This is for telnet only.

! loopback address I want to restrict access to

interface Loopback0

ip address

! interface not to be able to telnet to

interface FastEthernet0/0

ip address

!access-list 101 in is applied to line vty 0 4

line vty 0 4

access-class 101 in

!Below gets to both interfaces

access-list 101 perm tcp any any eq telnet

access-list 101 deny tcp any any

sh access-list 101

Extended IP access list 101

10 permit tcp any any eq telnet (4 matches)

20 deny tcp any any

!The below stopped both interfaces being accessed.

access-list 101 perm tcp any host (loopback address) eq telnet

access-list 101 deny tcp any any

sh access-l 101

Extended IP access list 101

10 permit tcp any host eq telnet

20 deny tcp any any (2 matches)

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Joe Clarke Mon, 09/21/2009 - 17:23

You can do this with control-plane policing (CoPP). For example:

access-list 101 deny tcp any host eq telnet

access-list 101 permit tcp any any eq telnet

access-list 101 deny ip any any

class-map match-all matchtelnet

match access-group 101

policy-map filtertelnet

class matchtelnet



service-policy input filtertelnet

Note: the ACL above looks like the opposite of what you want, but really you're matching traffic you do NOT want, then dropping it in the policy-map.

The net effect will be that all TCP traffic is allowed to this device OTHER than tcp/23 traffic unless the destination address is

boxhallbr Mon, 09/21/2009 - 18:50

Fantastic. I'm still trying to get my head around it but it works. Need to look at the backward logic.

Thanks for help.

boxhallbr Tue, 10/13/2009 - 16:27


You supplied the above answer last month and, when I tested it on a 1841 router it worked fine.

My problem is when I tried to apply it to a 3750 layer 3 switch. The drop command on the policy-map didn't take nor did the service-policy input command on the control-plane (output below).

Any and all help will be appreciated.

router(config-cmap)#policy-map filtertelnet

router(config-pmap)#class matchtelnet



% Invalid input detected at '^' marker.



router(config-cp)#service-policy input filtertelnet

QoS: policymap is supported on physical, VLAN, and ES interfaces only

Service Policy attachment failed

error: failed to install policy map filtertelnet


Joe Clarke Tue, 10/13/2009 - 16:42

Control-plane policing is not supported on the 3750 platform. This solution will not work there.

boxhallbr Tue, 10/13/2009 - 16:59


Is there any other way of restricting remote access to single interfaces on the 3750 switches?

Joe Clarke Tue, 10/13/2009 - 17:09

Interface ACLs are the only other way to go. Create an ACL that only permits telnet to the desired interface, then apply it to all IP interfaces on the switch.

boxhallbr Tue, 10/20/2009 - 15:23


Tested the access list on a test box and it work fine. Before I start applying it on all devices thought I would get you to have a quick look.

Does the below look correct?

Want to connect to IP address

ip access-list extended RemoteAccess

permit tcp any host eq telnet

deny tcp any any eq telnet

permit ip any any

Then apply the access list

interface Vlan210

ip address

ip access-group RemoteAccess in


interface Vlan410

ip address

ip access-group RemoteAccess in


Thanks again for your help.


This Discussion