[c-nsp] vty access-list

Fred Reimer freimer at ctiusa.com
Thu Sep 13 11:12:05 EDT 2007

If the device supports CPP can't you put an ACL on the
control-plane to handle all interfaces at once?

Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron
Sent: Thursday, September 13, 2007 10:58 AM
To: C and C Dominte
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] vty access-list


> Is this a normal behavior of the IOS, to block access to all
the ip's, including to the one that is supposed to be allowed?

While not explicitly called out, I believe the intent is to use a
'standard' access list with one's vty access-class statements.
that end, an extend list that specifies a destination as well as
source will deny all traffic.

I would hazard a guess that this is due to the fact the one's
destination is no-longer the external interface IP address used
reach the router at this point, but rather the internal VTY...  I
believe the only way to restrict SSH access to a specific IP on
router is to apply the appropriate extended access list entries
each router interface, which, given enough processing overhead,
probably a good idea anyway...

for the implied restriction to use only standard access lists...

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20070913/063efc6c/attachment-0001.bin 

More information about the cisco-nsp mailing list