Cisco provides ACLs to permit or deny Telnet access to the VTY
ports of a switch. Cisco devices vary in the number of VTY ports that are
available by default. When configuring VTY ACLs ensure that all default ports
are removed or have a specific VTY ACL applied.
Telnet filtering is
normally considered an extended IP ACL function because it is filtering a
higher-level protocol. However, because the access-class
command is used to filter incoming Telnet sessions by source address and to
apply filtering to VTY lines, standard IP ACL statements can be used to control
VTY access. The access-class command also applies standard
IP ACL filtering to VTY lines for outgoing Telnet sessions originating from the
switch.

VTY ACLs
can be applied to any combination of VTY lines. The same ACL can be applied to
all VTY lines, or separately to each VTY lines. The most common practice is to
apply the same ACL to all VTY lines.
Commands to Configure VTY ACLs
To configure VTY ACLs on a Cisco
switch, create a standard IP ACL and apply the ACL on the VTY interfaces.
Rather than applying the ACL to a data interface, the ACL is applied to a VTY
line or range of lines with the access-class command.

Example: VTY Access
In this example, permission is granted to any
device on network 192.168.1.0 0.0.0.255 to establish a virtual terminal
(Telnet) session with the switch. Of course, the user must know the appropriate
passwords to enter user mode and privileged mode.
Notice that identical
restrictions have been set on every VTY line because the line on which the VTY
user will connect cannot be controlled.
The implicit deny
any statement at the end of the access list still applies to the ACL
when it is used as an access-class entry.
Switch(config)#access-list 12 permit 192.168.1.0
0.0.0.255
Switch(config)#line vty 0
15
Switch (config-line)#access-class 12
in
 |
NOTE:
The actual number of VTY lines depends on the platform and the IOS
software being run.
|