Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Limit switch access (telnet, http)

Situation: c3750 Layer3 switch acting as router for my LAN, with several (more than 40) L3 virtual interfaces.

Target: I want to permit access to the switch only from some L3 interfaces (these with an @IP 10.255.x.x) and deny telnet/http request on other interfaces (with @IP 10.252.x.x). For telnet, I putted on the switch the following commands:

Switch(config)#access-list 101 permit ip any log

Switch(config)#access-list 101 deny ip any any log

Switch(config-line)#access-class 101 in


- telnet traffic is blocked on ALL interfaces

- if I try a telnet from a PC ( to the switch ( I see the following syslog message:

Aug 23 13:36:49: %SEC-6-IPACCESSLOGP: list 101 denied tcp ->, 1 packet

Why destination IP address is

Second question: how can I activate the same filter on http access (ip http access-class accepts only standard access-lists, therefore I cannot check destination IP address)?


Re: Limit switch access (telnet, http)


You access list is producinging unintended results. You list actually says: "If you come from anywhere you can do ip to". What you probably want is the opposite. Standard access lists are most effective for restricting this type of access because it eliminates this confusion. You don't need extended lists to limit access to vty. The destination is irrelevant because the packet is not getting routed through. On this basis the standard list poses no limitation for your http access control. Standard lists are good for vty, http, snmp-server restrictions. As far as the destination, I do not know why this was stripped out. Probably due to the fact that the packet is destined for the switch.


Pls rate if helpful!

New Member

Re: Limit switch access (telnet, http)

Hi Mike,

thanks for your reply, but it doesn't help me. I try to explain my situation a little bit more in details:

- two routing domains on the same switch (vrf active)

- therefore the destination IP address where I initiate the telnet session is important. I want to deny telnet/http in one of these routing domains (the one with IP addressese 10.252.x.x)

Hope it's a little bit more clear ...

Hall of Fame Super Bronze

Re: Limit switch access (telnet, http)

The destination is shown as because the line vty interface is unnumbered. As Mike mentioned, you can't include a destination IP on an access-class because the vty interface has no ip .

If you want to permit/deny traffic from some L3 interfaces, you need to apply the ACL on those interfaces, not the entire switch as intended with access-class.

Please rate helpful posts.