[nsp] VTY ACL

Rick Burts r.burts at earthlink.net
Sun Jul 20 23:19:42 EDT 2003 

Damien

I think you will find it much easier to accomplish what you want with a 
standard access list.

As someone else pointed out, be very careful with in and out when you 
apply access-class.

I went through the exercise of access-class with extended access lists 
a long time ago, got it to work, and do not know if the behavior of IOS 
has changed (so may or may not still be the case, but I guess it still
works). What I found was the key in getting extended access lists 
to work was specifying the source address as 0.0.0.0. I was really 
puzzled at that till I thought about it a while. The access-class out 
is working when the vty session wants to go somewhere outside, at the 
vty it knows where it wants to go but does not yet know which interface 
it will use to get there, so it cannot know what the source address 
will be.

I think you can get extended access lists to work with access-class, 
but why would you want to use a more complex solution when a simple 
solution is available?

Rick

Damien Holloway wrote:
> 
> I applied an ACL to the vty interface on a router
> 
> access-list 101 permit tcp host 10.1.1.1 host 10.2.2.2 eq telnet
> 
> line vty 0 4
>  access-class 101 in
> 
> and the host 10.1.1.1  **cannot** telnet to the router on 10.2.2.2
> 
> BUT if I do this
> 
> access-list 101 permit tcp host 10.1.1.1 any eq telnet
> 
> line vty 0 4
>  access-class 101 in
> 
> and the host 10.1.1.1  **can** telnet to the router on 10.2.2.2
> 
> Why would the first example NOT work???
> 
> I am confused
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Rick Burts     CCIE 4615  CCSI     Email: rburts at netcraftsmen.net 
Chesapeake NetCraftsmen            410.573.9372  (office)
1070 Foxcroft Run                  443.994.0675  (cell)
Annapolis, MD 21401                WWW: http://www.netcraftsmen.net 

With 8 CCIEs on staff Chesapeake NetCraftsmen offers services in 
network consulting and training.  Our services include Network Design, 
Implementation, Troubleshooting as well as Network Management.

More information about the cisco-nsp mailing list