Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VTY Access-list

I have a v basic but logical question........if i want to block an access from all ip from out side for telent.....and want to allow one static ip address....i can use three ways.....one is standard access list where i will but

Access-list 1 permit 110.56.x.x 0.0.0.0

int s0

access-class 1 in

the scond menthod is of extended access list in which i would put Eq 23

now my question is what is the difference between these two...the will do the same work.....in which scenario i would use standard on vty line and in which scenario i would use extended access list......thanks in advance

2 REPLIES
New Member

Re: VTY Access-list

First Access list says that you are permiting ip 110.56.x.x right. That means host can telnet with any application i.e. telnet or ssh.

But in case of extented access list you will be restricting the host to access though telnet only.

So many companies follow a hardening process where they want to speficifcally give access through SSH only and not through telnet then you can use extented access list and if there is no restriction then go for normal access list.

Hope that helps.

Regards,

Suresh Jain

Hall of Fame Super Silver

Re: VTY Access-list

Suresh has given one explanation and I will approach the question in a slightly different way. Use of a standard access list applied with access-class is a more efficient solution to controlling remote access to the router than using extended access list applied with access-group. For one thing if the router has several interfaces you probably will need to put the extended access list on several interfaces but the standard access list only goes in one place. If the router has several IP addresses then you will need a line in the extended access list for each address but the standard access list inherently applies to all the addresses. If you use the extended access list then every packet coming into the router must be examined by the access list but if you use the standard access list then only packets which are attempts to access the router need to be examined.

So from an efficiency standpoint the standard access list applied with access-class is more efficient than the extended access list applied with access group.

HTH

Rick

435
Views
3
Helpful
2
Replies