Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access to VTY

I have a switch with multiple vlans, each of which has its own IP address.

I want to limit connections to the switch VTY lines to only one source host and one DST switch ip on a particular vlan.

Is this possible by using access-class on the VTY lines?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Access to VTY

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them

access-list 11 permit host source

access-list 12 permit host destination

line vty 0 4

access-class 11 in

access-class 12 out

verify how many vtys are on your switch

Hope to help

Giuseppe

9 REPLIES
Hall of Fame Super Silver

Re: Access to VTY

Hello Dan,

yes because the access-class can be applied inbound and outbound:

you just need to define two standard ACLs and to use them

access-list 11 permit host source

access-list 12 permit host destination

line vty 0 4

access-class 11 in

access-class 12 out

verify how many vtys are on your switch

Hope to help

Giuseppe

New Member

Re: Access to VTY

Excellent, didnt think of it like that. I tried using an extended access list and had no luck.

Thanks!

Hall of Fame Super Silver

Re: Access to VTY

hello Dan,

I may be wrong but I don't think access-class command supports extended acl

thanks for your kind marks

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: Access to VTY

Giuseppe

Extended access lists for access class are much more cumbersome, but extended access lists are supported in the access class command. I have tested it and gotten it to work. But standard access lists are how access class was intended to work and are preferable.

HTH

Rick

Hall of Fame Super Silver

Re: Access to VTY

Thanks Rick

I have always used only standard ACLs

Best Regards

Giuseppe

New Member

Re: Access to VTY

Looks like newer versions do, but not positive.

Hall of Fame Super Silver

Re: Access to VTY

Guiseppe

You are qute welcome. Most of us just use standard access lists for access-class and it is the easy and best way. But it is worth knowing that extended access lists do also work.

Daniel

Your response sussgests that there might have been a behavior change about this. The behavior has been consistent in IOS for a very long time. access-class works with both standard access lists and with extended access lists. (I believe that my testing with them goes back to the days of 10.3)

HTH

Rick

New Member

Re: Access to VTY

I must have been wrong, my switch lets specify an extended access-list to an access-class statment.

I belive the way in which I was using it was the issue:

access-list 100 permit ip 10.0.0.0 0.0.0.255 host 10.1.1.1

line vty 0 4

access-class 100 in

it didnt matter what I put for destination address, unless it was 'any', it would always deny connection.

Must be the access-class in and out statements need to be used together once again -

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip any host 10.1.1.1

access-class 100 in

access-class 101 out

Hall of Fame Super Silver

Re: Access to VTY

Daniel

IOS will let you use an extended access list with access-class. But that does not mean that all of the parameters will operate as you might want them to. My experience was just as yours has been. You can use an extended access list for access-class in, but you can not get it to test for specific destination addresses. It only works when the destination address is any. My rationalization for why it works this way is that one of the great advantages of access-class is that it gives you a mechanism to control remote access to any of the addresses of the device, and since it automatically if processing for a variety of destination addresses, it will not process as expected if the access list specifies a specific address.

HTH

Rick

225
Views
5
Helpful
9
Replies
CreatePlease login to create content