[c-nsp] acess-list

Peter Rathlev peter at rathlev.dk
Thu Oct 30 08:23:41 EDT 2008


On Thu, 2008-10-30 at 10:36 +0200, Ziv Leyes wrote:
> I think that what Adrian was asking, and it's something I would also
>  like to know is let's suppose I have an acl for vty 0 4 and another
>  acl for vty 5 15
> acl for 0 4 allows access to x.x.x.x
> acl for 5 15 allows access to y.y.y.y
> 
> How can I as a y.y.y.y client, be sure I connect to a vty between 5 and
> 15 and not fall into a denied 0 to 4?
> If I'm the only one that tries to connect, by default I'll fall in vty
> 0, if I'm denied there but allowed in 5 to 15, will I be derived to
> there as a fallback?

The router allocates the VTY from 0 an onwards, so the first person
connecting gets VTY 0, next one VTY 1 and so on. There is practically no
security benifits in having different ACLs on different VTYs. It is
trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to
VTY 5. In my eyes: Always treat every VTY the same.

> Or there is a way I can force my connection to fall in vty 5 and up?

There's a "trick" with rotary-groups you might find useful. If you
assign a line to a rotary group, this line is accessible on port (3000
+group). This way you can reach a specific VTY by using another port.

line vty 6
 rotary 3010
!

You can assign several lines to the same rotary group and they will be
allocated serially. (Unless you choose them to be round robin selected.)

Regards,
Peter




More information about the cisco-nsp mailing list