Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

access-class question

whats the difference between

>access-class 3 in

and

>ip access-group 3 in

and why i have to use access-class on vty connections?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: access-class question

yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).

As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .

HTH

Jorge

12 REPLIES
Hall of Fame Super Gold

Re: access-class question

Hi,

access-class is used to define, generally by source-address, which remote systems are allowed to connect via telnet or ssh to your device.

access-group specifies instead an ACL for packets allowed to traverse an interface, independently from the fact these are destined to the router or not.

hope this helps, please rate post if it does!

New Member

Re: access-class question

sorry but i dont understand -

why can't i use >ip access-group in the first case too?

Hall of Fame Super Gold

Re: access-class question

You can, but access-class is made specifically for the purpose, and it's easier to configure and understand when reading the configuration.

So you can still limit remote access to the router but you do not have ACL under interface in case you don't need them for other purposes.

As an appreciation to those providing answers,please rate useful posts using the scrollbox below!

New Member

Re: access-class question

so with access-class i can block the access of all those people who are trying to telnet to the router - that's what it is for?

and what about telneting from the router? can i limit that too with access-class?

Hall of Fame Super Gold

Re: access-class question

Yes.

To limit telnet from the router you would use an access-group under interface.

Please remember to rate useful posts!

Re: access-class question

yes you can restrict inbound telnet when applying access-class in VTY lines assuming you have defined the access-list and apply access-class in the vty 0 -15 lines as (in).

As for outbound telnet you will do diferently using access-group and apply it to the interface you want outbound telnet to be blocked.. again, same principle with access-group , creat access-list and apply to interfaces as (out) .

HTH

Jorge

Hall of Fame Super Gold

Re: access-class question

I must disagree with my colleagues Paolo and Jorge. Access-class can be applied both inbound and outbound. When access-class is applied inbound it limits telnet (or SSH or whatever remote access method) TO the router and when access-class is applied outbound it limits telnet etc FROM the router. It is not necessary to use access-group on interfaces to limit outbound telnet and is much easier and more efficient to use access-class out.

HTH

Rick

Hall of Fame Super Gold

Re: access-class question

Good, thanks for correcting me Rick.

I had forgotten. So many features, so little brain to memorize them all.

Silver

Re: access-class question

Also, isn't ACL access-group skipped for packets originated from the router? Even if applied on the interface. Today I tried blocking outgoing icmp ttl-exceeded messages, and stumbled that whatever ACL I write, packets happily leave the router, although interface prevents them from doing so. All debugs shows that i am doing the correct thing, and when somebody else originates the packet type i am blocking, it is really blocked.

But not packets originating from the router.

Hall of Fame Super Gold

Re: access-class question

Pavlo

You raise an excellent point - which I had not thought about in my previous post. An ACL applied outbound (with access-group out) will filter only traffic that goes through the router but will not filter traffic that originates on the router. This is an aspect of ACL that many people are slow to recognize and I am glad that you have figured it out. And you are quite correct that access-group out will not be effective in controlling outbound telnet. So the only solution that really works is access-class out.

HTH

Rick

Re: access-class question

Rick is correct, telnet restriction can be effectivately apllied for inbound/outbound with access-class (in) and/or (out)

I missunderstood the poester second question !

"and what about telneting from the router? can i limit that too with access-class? "

New Member

Re: access-class question

what i meant is when you issue a telnet from your router to some host or other router.

but its alright because Rick had already answered on that in his previous post.

thanks a lot guys you really helpful!

517
Views
12
Helpful
12
Replies
CreatePlease to create content