[c-nsp] vty access-list
Aaron Daubman
daubman at gmail.com
Thu Sep 13 10:57:31 EDT 2007
Catalin,
...
> Is this a normal behavior of the IOS, to block access to all the ip's, including to the one that is supposed to be allowed?
While not explicitly called out, I believe the intent is to use a
'standard' access list with one's vty access-class statements. To
that end, an extend list that specifies a destination as well as a
source will deny all traffic.
I would hazard a guess that this is due to the fact the one's
destination is no-longer the external interface IP address used to
reach the router at this point, but rather the internal VTY... I
believe the only way to restrict SSH access to a specific IP on the
router is to apply the appropriate extended access list entries to
each router interface, which, given enough processing overhead, is
probably a good idea anyway...
See: http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716ec2.html
for the implied restriction to use only standard access lists...
Regards,
~Aaron
More information about the cisco-nsp
mailing list