Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

VTY access-class accepts extended and named access lists

You could limit terminal access to a router with an access-class in line configuration command for a very long time (since, at least, IOS release 10.0). However, the access-class command only accepted standard access-lists, allowing you to restrict access solely based on source IP addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In the IOS release 12.4, the command even accepts (undocumented !) named access lists.

These new features give you the ability to implement interesting policies, for example:
  • Telnet access is only allowed from the network management station.
  • SSH access is allowed from anywhere within internal network

You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router.

For example, the configuration ...

ip access-list extended TerminalAccess
 permit tcp host 10.0.0.2 any eq telnet log
 permit tcp any any eq 22 log
 deny tcp any any log
!
line vty 0 4
 access-class TerminalAccess in
... would log any terminal access to the router with messages similar to the one below.
%SEC-6-IPACCESSLOGP: list TerminalAccess denied tcp 10.0.0.3(1057) -> 0.0.0.0(23), 1 packet
%SEC-6-IPACCESSLOGP: list TerminalAccess permitted tcp 10.0.0.2(1058) -> 0.0.0.0(23), 1 packet

Related posts by categories

Please read our Blog Commenting Policy before writing a comment.

10 comments:

  1. Anonymous12 December, 2007 04:15

    very good tip, simple but useful.

    Thanks

    ReplyDelete
  2. Tassos (CCIE™ No. 19858)11 May, 2008 10:16

    Standard acls also provide logging, don't they?

    ReplyDelete
  3. Ivan Pepelnjak11 May, 2008 10:55

    You're right, now they do. Long time since I've last checked :)

    ReplyDelete
  4. Anonymous23 April, 2009 11:47

    Any one tried using a specific destination ip address rather than "any"
    i.e.
    permit tcp host 10.0.0.2 host 1.2.3.4 eq telnet log

    ReplyDelete
  5. Ivan Pepelnjak09 May, 2009 19:34

    It doesn't work, see the last comment in this post.

    ReplyDelete
  6. Anonymous24 August, 2012 20:02

    This was actually added in at-least 12.2 (tested), still wish you could specify a destination

    ReplyDelete
  7. Shyam Nandan04 August, 2013 14:29

    Hi everyone..
    I am new and working as L1 support.
    My question is " why we need access-class to restrict telnet?" we can do all kind of filtering with standard and extended ACL.
    Thankyou.

    ReplyDelete
    Replies
    1. Ivan Pepelnjak04 August, 2013 16:24

      In principle you're right. However, try achieving that with ACLs on a router with hundreds of (sub)interfaces or switch with tens of ports.

      Delete
  8. Patel Umair Khan04 October, 2016 12:27

    Thanks, it was helpful

    ReplyDelete
  9. TomHamman17 June, 2017 03:44

    Configure an access list to only allow Native & Management VLAN to SSH to the routers. Needs to be a numbered list

    ReplyDelete

Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.

Home
Sidebar