Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asr1004 access list

Hi

I have a simple question, but it is hard for me now.

I have configuration:

ip access-list standard noLogin

permit 10.10.10.10 log

deny any log

line vty 0 4

access-class noLogin in   -> I have also test with extended list

transport prefer ssh

transport input ssh

if I do not have this access-class, I can ssh into the box from other machine,

if I do has this statement, I can not login any more, but the show access-list show there is packets machine the line one (permit 10.10.10.10 log).

the trace log on unix machine shows box sent {RST, ACK} all the time,

but, if I do remove the access-class, not I can ssh through managment port, but also public port also.

is there some tip I missed? how can I allow only people to loggin? does the asr1000 different? or something wrong on my configuration?

any comments appreciated

thanks in advance

julxu

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re:asr1004 access list

Are you using VRFs? If so, try access-class noLogin in vrf-also.

Regards,
Mike

Sent from Cisco Technical Support Android App

Re:asr1004 access list

You apply it in the vty section like normal, you just add the vrf-also tag at the end.

line vty 0 15

  access-class noLogin in vrf-also

You can refer to the command documentation here:

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389

By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.

Regards,

Mike

5 REPLIES

Re:asr1004 access list

Are you using VRFs? If so, try access-class noLogin in vrf-also.

Regards,
Mike

Sent from Cisco Technical Support Android App

New Member

Re:asr1004 access list

thanks Mike

please advice how do I do it? or docs?

on default vrf, I have not see access-class command

julxu

Re:asr1004 access list

ip access-list extended nologin

permit ip host 10.10.10.x any (alllow single host here)

deny ip any any

apply that

***Do Rate All Helpful Posts***

Jawad

Jawad
New Member

Re:asr1004 access list

Jawad

this is only the access-list, which already existed.

the problem is I can not find in vrf where I can apply the access-list.

if you know, please advice

julxu

Re:asr1004 access list

You apply it in the vty section like normal, you just add the vrf-also tag at the end.

line vty 0 15

  access-class noLogin in vrf-also

You can refer to the command documentation here:

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389

By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.

Regards,

Mike

445
Views
0
Helpful
5
Replies
CreatePlease login to create content