Scribd
Upload
17 views

VTY Access-Class Accepts Extended and Named Access Lists

The access-class command for line configuration on routers can now accept extended and named access lists, allowing restriction of terminal access based on more attributes than just source IP. This gives administrators more flexible policies, like permitting Telnet only from a management station while allowing SSH from any internal network. Extended lists also enable logging of all connection attempts.

Uploaded by

Javier De La Cruz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
17 views

VTY Access-Class Accepts Extended and Named Access Lists

The access-class command for line configuration on routers can now accept extended and named access lists, allowing restriction of terminal access based on more attributes than just source IP. This gives administrators more flexible policies, like permitting Telnet only from a management station while allowing SSH from any internal network. Extended lists also enable logging of all connection attempts.

Uploaded by

Javier De La Cruz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 1

VTY access-class accepts extended and named access lists

You could limit terminal access to a router with an access-class in line configuration command for a very long time (since, at least, IOS release 10.0). However, the access-class command only accepted standard access-lists, allowing you to restrict access solely based on source IP addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In the IOS release 12.4, the command even accepts (undocumented !) named access lists. These new features give you the ability to implement interesting policies, for example:

Telnet access is only allowed from the network management station. SSH access is allowed from anywhere within internal network

You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router. For example, the configuration ...
ip access-list extended TerminalAccess permit tcp host 10.0.0.2 any eq telnet log permit tcp any any eq 22 log deny tcp any any log ! line vty 0 4 access-class TerminalAccess in

... would log any terminal access to the router with messages similar to the one below. %SEC-6-IPACCESSLOGP: list TerminalAccess denied tcp 10.0.0.3(1057) -> 0.0.0.0(23), 1 packet %SEC-6-IPACCESSLOGP: list TerminalAccess permitted tcp 10.0.0.2(1058) -> 0.0.0.0(23), 1 packet

You might also like