Using an ACL to Control VTY Access

Cisco recommends using SSH for administrative connections to routers and switches. If the Cisco IOS software image on your router does not support SSH, you can improve the security of administrative lines by restricting VTY access. Restricting VTY access is a technique that allows you to define which IP addresses are allowed Telnet access to the router EXEC process. You can control which administrative workstation or network manages your router with an ACL and an access-class statement configured on your VTY lines. You can also use this technique with SSH to further improve administrative access security.

The access-class command configured in line configuration mode restricts incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.

Standard and extended access lists apply to packets that travel through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default.

Filtering Telnet or SSH traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because the access-class command is used to filter incoming or outgoing Telnet/SSH sessions by source address, a standard ACL can be used.

The command syntax of the access-class command is:

Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }

The parameter in restricts incoming connections between the addresses in the access list and the Cisco device, while the parameter out restricts outgoing connections between a particular Cisco device and the addresses in the access list.

An example allowing a range of addresses to access VTY lines 0 - 4 is shown in Figure 1. The ACL in the figure is configured to permit network 192.168.10.0 to access VTY lines 0 - 4 but deny all other networks.

The following should be considered when configuring access lists on VTYs:

Use the Syntax Checker in Figure 2 to practice securing VTY access.