|
Standard and extended access lists will
block packets from going through the router. They are not designed
to block packets that originate within the router. An outbound
Telnet extended access list does not prevent router-initiated Telnet
sessions, by default.
Just as there are physical ports or interfaces, such as E0 and E1
on the router, there are also virtual ports. These virtual ports are
called vty lines. There are five such vty lines, numbered vty 0
through 4, as shown in the main figure.
For security purposes, users can be denied virtual terminal
(vty) access to the router, or users can be permitted vty access to
the router but denied access to destinations from that router.
Restricting vty access is less a traffic control mechanism than one
technique for increasing network security.
Moreover, vty access is accomplished using the Telnet protocol to make
a nonphysical connection to the router. As a result, there is only
one type of vty access list. You should generally set identical restrictions on all
vty lines
because you cannot control on which vty line a user will connect.
Note: Some experts recommend that you configure the last vty
line (line vty 4) differently than the others. This way, you will
have a "back door" into the router. This works because the
connection will use the first line available at the moment at
the lowest unused number.
|