Access class command (in out) - Cisco 877/881 routers

Unanswered Question
Jul 22nd, 2010
User Badges:


I have a need to modify telnet security in my network. I have only 3 remotes hosts witch can telnet WAN routers. An access-list was configured and actived under vty lines: access list with 3 remotes hosts.

I want to autorize telnet access from the LAN (one host or all the LAN), thus the operation is complicated and difficult (more than 400 routers) to modify the ACL in all devices.

I have an idea if i change the direction of the ACL under vty :

access class 101 OUT instead of in.

I'm asking if this can resolve the issue and giving the same level of security as "IN".

Does someone know how to do without affecting or doing more changes ?


Best regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Jennifer Halim Thu, 07/22/2010 - 06:36
User Badges:
  • Cisco Employee,

No, ACL in the outbound direction on the VTY will restrict access for telnet iniated from the router itself, not for telnet access towards the router.

If you would like to restrict inbound telnet access towards the router, you can only configure the IN direction unfortunately.

Hope that answers your question.

Ayad Thu, 07/22/2010 - 07:40
User Badges:


Thanks for your reply. In this cas, can I move the access list from vty to serial interafaces like serial, atom,..?

If I understand, i will add a line with permit any any in the top of the ACL before applying under serial interafaces.

is this right ?

Please advise and help.

Thanks and regards,

Jennifer Halim Thu, 07/22/2010 - 07:48
User Badges:
  • Cisco Employee,

well, it doesn't really matter whether you apply the ACL on the actual VTY line or the serial/atm/ethernet interfaces of the router itself, because essentially you will still need to be configuring IN (inbound) ACL for telnet access towards your router.

Not quite sure what you mean by configuring permit ip any any at the top because once it hits permit ip any any, then the ACL stops there. It will not check the remainder of the ACL as ACL is checked from top to bottom.

There are 2 options that you can achieve:

- If you know the list that you would like to block and it's shorter than your allowed list, then you can configure deny statements first before the permit ip any any

- If your allow list is shorter than the block list, then you would just configure the permit statements specific to what you would like to allow, and there would be an implicit deny any any at the end of the ACL, so you don't need to worry about configuring deny ip any any.

Ayad Thu, 07/22/2010 - 07:56
User Badges:


But the serial is also used fror wan trafic and when applying an ACL under serial is just de permit only telnet from 3 host and deny telnet from others wan hosts but also to allow others wan trafic.

in case, i will need a permit any any.

what do you think ?


Jennifer Halim Thu, 07/22/2010 - 08:01
User Badges:
  • Cisco Employee,

Yes, that is how you would configure it. But you can achieve the same through the VTY access-list as well if you already have it.

But yes, you can achieve the same through ACL on the serial/WAN interface if the telnet is coming through to your WAN interface.


This Discussion