Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

telnet and extended acl

Hi every body.

My bookshows how a standard access list can be used to control telnet acesss.

I am just wondering if we can use extended acces list instead of standard access list.

Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?

thanks a lot.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: telnet and extended acl

Sarah

"Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?"

You would still only use a standard acl ie.

access-list 1 permit 198.198.198.0 0.0.0.255

An extended acl is used when you want to specify both src/dst IP and/or TCP/UDP ports but they don't make any sense in this scenario ie.

the destination IP address is not relevant here and you don't need to specify the ports.

Jon

2 REPLIES
Cisco Employee

Re: telnet and extended acl

Hello,

I assume we are talking about ACLs applied onto the VTY lines using the command access-class.

Well, an extended ACL can be used here exactly as the standard ACL. Note that every standard ACL can be translated to an extended ACL simply by specifying "any" recipient. So for your example, this would be the configuration:

access-list 100 permit ip 198.198.198.0 0.0.0.255 any

line vty 0 4

access-class 100 in

or perhaps if you wanted to limit only the telnet access from the specified network and leave the SSH open from all locations:

access-list 100 permit tcp 198.198.198.0 0.0.0.255 any eq 23

access-list 100 permit tcp any any eq 22

line vty 0 4

access-class 100 in

There's really nothing so special to it.

Best regards,

Peter

Hall of Fame Super Blue

Re: telnet and extended acl

Sarah

"Let say i want only users on the subnet 198.198.198.0/24 can telnet into my router. How extended acl can be used here ?"

You would still only use a standard acl ie.

access-list 1 permit 198.198.198.0 0.0.0.255

An extended acl is used when you want to specify both src/dst IP and/or TCP/UDP ports but they don't make any sense in this scenario ie.

the destination IP address is not relevant here and you don't need to specify the ports.

Jon

176
Views
0
Helpful
2
Replies