Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking session access on CAT6500

Greetings, We're running hybrid mode on our 6500 switches. I have noticed lately access-class on vty line 0 4 does not apply to someone sessioning in from the switch (session 15 or 16). Is there a way to block users from sessioning in on the router?

Thanks, Nabil


Re: Blocking session access on CAT6500

You should not want to do this!

When someone "sessions" in from the switch, it means that he has physical access to the system.

Locking this out increases the change that your system cannot be managed anymore.

Blocking vty acces is fine but always leave the console open.



New Member

Re: Blocking session access on CAT6500


You don't have to be physically at the switch to session into the MSFC, you can do that from anywhere as long as you have telnet access to the switch. You might be thinking of "switch console", in order to console into the MSFC you have to be physically at the box. I understand your concern, but it kind of defeats the purpose of have a vty access-list if anyone can session from the switch.

Re: Blocking session access on CAT6500

You are correct, but the vty acces can be controlled through an access-list. In my perception of security, there is no difference between a user whom I authorize to access the switch via telnet and a console user.

New Member

Re: Blocking session access on CAT6500

Totally agree with you however, we have a different group that maintains the switching portion while my group maintains the routing portion. Unique but it proves successful for us.... One of the main reasons we're running hybrid mode.