Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
3
Helpful
2
Replies

VTY Access-list

The_guroo_2
Level 2
Level 2

‎11-08-2006 12:29 AM - edited ‎03-03-2019 02:37 PM

I have a v basic but logical question........if i want to block an access from all ip from out side for telent.....and want to allow one static ip address....i can use three ways.....one is standard access list where i will but

Access-list 1 permit 110.56.x.x 0.0.0.0

int s0

access-class 1 in

the scond menthod is of extended access list in which i would put Eq 23

now my question is what is the difference between these two...the will do the same work.....in which scenario i would use standard on vty line and in which scenario i would use extended access list......thanks in advance

Labels:
0 Helpful
2 Replies 2

Sureshdank
Level 1
Level 1

‎11-08-2006 12:35 AM

First Access list says that you are permiting ip 110.56.x.x right. That means host can telnet with any application i.e. telnet or ssh.

But in case of extented access list you will be restricting the host to access though telnet only.

So many companies follow a hardening process where they want to speficifcally give access through SSH only and not through telnet then you can use extented access list and if there is no restriction then go for normal access list.

Hope that helps.

Regards,

Suresh Jain

Richard Burts
Hall of Fame
Hall of Fame
In response to Sureshdank

‎11-08-2006 06:36 AM

Suresh has given one explanation and I will approach the question in a slightly different way. Use of a standard access list applied with access-class is a more efficient solution to controlling remote access to the router than using extended access list applied with access-group. For one thing if the router has several interfaces you probably will need to put the extended access list on several interfaces but the standard access list only goes in one place. If the router has several IP addresses then you will need a line in the extended access list for each address but the standard access list inherently applies to all the addresses. If you use the extended access list then every packet coming into the router must be examined by the access list but if you use the standard access list then only packets which are attempts to access the router need to be examined.

So from an efficiency standpoint the standard access list applied with access-class is more efficient than the extended access list applied with access group.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card