Defending Network Switches
VTY ACLs

Cisco provides ACLs to permit or deny Telnet access to the VTY ports of a switch. Cisco devices vary in the number of VTY ports that are available by default. When configuring VTY ACLs ensure that all default ports are removed or have a specific VTY ACL applied.

Telnet filtering is normally considered an extended IP ACL function because it is filtering a higher-level protocol. However, because the access-class command is used to filter incoming Telnet sessions by source address and to apply filtering to VTY lines, standard IP ACL statements can be used to control VTY access. The access-class command also applies standard IP ACL filtering to VTY lines for outgoing Telnet sessions originating from the switch.

VTY ACLs can be applied to any combination of VTY lines. The same ACL can be applied to all VTY lines, or separately to each VTY lines. The most common practice is to apply the same ACL to all VTY lines.

Commands to Configure VTY ACLs
To configure VTY ACLs on a Cisco switch, create a standard IP ACL and apply the ACL on the VTY interfaces. Rather than applying the ACL to a data interface, the ACL is applied to a VTY line or range of lines with the access-class command.

Example: VTY Access
In this example, permission is granted to any device on network 192.168.1.0 0.0.0.255 to establish a virtual terminal (Telnet) session with the switch. Of course, the user must know the appropriate passwords to enter user mode and privileged mode.

Notice that identical restrictions have been set on every VTY line because the line on which the VTY user will connect cannot be controlled.

The implicit deny any statement at the end of the access list still applies to the ACL when it is used as an access-class entry.

Switch(config)#access-list 12 permit 192.168.1.0 0.0.0.255
Switch(config)#line vty 0 15
Switch (config-line)#access-class 12 in
NOTE:

The actual number of VTY lines depends on the platform and the IOS software being run.


Lab Activity

Lab Exercise 1: Restricting Virtual Terminal Sessions with Access Lists

In this lab, students will define and apply access lists to restrict access to virtual terminal sessions on the switch.

Lab Activity

Lab Exercise 2: Restricting Web Interface Sessions with Access Lists

In this lab, students will define and apply access lists to restrict access to the Web interface on the switch.