03-13-2017 01:16 AM - edited 03-08-2019 09:42 AM
Hi
Is it possible to use multiple vty access list to control access to the router on different vty instances ?
Example use standard access list 1 to restrict vty 0 4 and use access list 2 to restrict vty 5-6
We have this setup on multiple different router platforms, I thought the routers would be able to tell which access-list the source is allowed in and open that specific vty session/group but the router always uses the next available vty session. This happens across different platforms.
I haven't been able to find any cisco documentation around this limitation
Example config
line vty 0 4
session-timeout 10 output
access-class 1 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh
line vty 5 6
session-timeout 10 output
access-class 2 in
exec-timeout 30 0
password ************
logging synchronous
transport preferred telnet
transport input telnet ssh
transport output telnet ssh
access-list 1 remark RANGE for USERS-X
access-list 1 permit x.x.x.x 0.0.0.255
access-list 1 deny any log
access-list 2 remark RANGE for USERS-Y
access-list 2 permit y.y.y.y
access-list 2 deny any log
Thanks
Solved! Go to Solution.
03-14-2017 12:51 AM
Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.
03-13-2017 11:10 PM
That wont work. Use aaa and username/password instead.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
If you are using a modern router:
username <user1> privilege 15 algorithm-type scrypt secret <password>
Of if you are using an older router:
username <user1> privilege 15 secret <password>
03-14-2017 12:48 AM
Agreed that would work.
Why would the other option using multiple vty instances not work
03-14-2017 12:51 AM
Because the VTY lines are allocated in order, and then the access-list is checked. The access-list does not select the VTY line. The access-list only controls access to the current VTY line that the user is connected to.
03-14-2017 03:30 AM
Thanks
03-14-2017 04:19 AM
Hello
FYI - You CAN pick a vty line to access but again it would still be available for when you dont specify it also.
Example:
line vty 0 2
transport preferred none
transport input none
line vty 3
transport preferred none
transport input telnet
login local
line vty 4
transport preferred none
transport input telnet
rotary 127
access-class 10 in
login local
telnet x.x.x.x 3127 < now you will hit vty4 each time)
telnet x.x.x.x < it will also be available, but you may or may not hit vty 3 or 4)
res
Paul
10-18-2018 07:52 AM
You'd have to go with Juniper if you want this type of control.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: