Access Lists
471
Controlling VTY (Telnet) Access
You will have a difficult time trying to stop users from telnetting into a
router because any active port on a router is fair game for VTY access. How-
ever, you can use a standard IP access list to control access by placing the
access list on the VTY lines themselves.
To perform this function:
1.
Create a standard IP access list that permits only the host or hosts you
want to be able to telnet into the routers.
2.
Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:
RouterA(config)#access-list 50 permit 172.16.10.3
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops
any host from telnetting into the router except the host 172.16.10.3.
Should I use standard IP access lists?
Probably not.
Unless you are studying for the test and running through the labs, standard
IP access lists have somewhat outlived their usefulness. In a small network
or home network, they might be okay to use, but they are not flexible
enough for a real-world, large production environment. Extended access
lists provide many more options and flexibility when creating access lists
for large networks.
Should you secure your Telnet lines on a router?
Yes, absolutely, and the access-class command is the best way to do this.
Why? Because it doesn't use an access list that just sits on an interface look-
ing at every packet that is coming and going. This can cause latency on the
packets trying to be routed.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com