-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.2SR
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Configuring Context-based Access Control
-
Configuring Port to Application Mapping
- Unicast Reverse Path Forwarding (uRPF)
-
Access Control Lists (ACLs)
Table Of Contents
Controlling Access to a Virtual Terminal Line
Restrictions for Controlling Access to a Virtual Terminal Line
Information About Controlling Access to a Virtual Terminal Line
Benefits of Controlling Access to a Virtual Terminal Line
How to Control Access to a Virtual Terminal Line
Controlling Inbound Access to a vty
Controlling Outbound Access to a vty
Outbound Access List on a Line Specifies a Destination Address
Configuration Examples for Controlling Access to a Virtual Terminal Line
Controlling Inbound Access on vtys: Example
Controlling Outbound Access on vtys: Example
Feature Information for Controlling Access to a Virtual Terminal Line
Controlling Access to a Virtual Terminal Line
First Published: August 18, 2006Last Updated: August 18, 2006You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Controlling Access to a Virtual Terminal Line" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Restrictions for Controlling Access to a Virtual Terminal Line
•
•
•
Restrictions for Controlling Access to a Virtual Terminal Line
When you apply an access list to a vty (by using the access-class command), the access list must be a numbered access list, not a named access list.
Information About Controlling Access to a Virtual Terminal Line
Before you control access to a vty, you should understand the following concepts:
•
Benefits of Controlling Access to a Virtual Terminal Line
By applying an access list to an inbound vty, you can control who can access the lines to a router. By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach.
How to Control Access to a Virtual Terminal Line
This section contains the following procedures:
•
•
Controlling Inbound Access to a vty
Perform this task when you want to control access to a vty coming into the router by using an access list. Access lists are very flexible; this task illustrates one access-list deny command and one access-list permit command. You will decide how many of each command you should use and their order to achieve the restrictions you want.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Controlling Outbound Access to a vty
Perform this task when you want to control access from a vty to a destination. Access lists are very flexible; this task illustrates one access-list deny command and one access-list permit command. You will decide how many of each command you should use and their order to achieve the restrictions you want.
Outbound Access List on a Line Specifies a Destination Address
When a standard access list is applied to a line with the access-class out command, the address specified in the access list is not a source address (as it is in an access list applied to an interface), but a destination address.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuration Examples for Controlling Access to a Virtual Terminal Line
This section provides the following configuration examples:
•
•
Controlling Inbound Access on vtys: Example
The following example defines an access list that permits only hosts on network 172.19.5.0 to connect to the virtual terminal lines 1 through 5 on the router. Because the vty keyword is omitted from the line command, the line numbers 1 through 5 are absolute line numbers.
access-list 12 permit 172.19.5.0 0.0.0.255line 1 5access-class 12 inControlling Outbound Access on vtys: Example
The following example defines an access list that denies connections to networks other than network 171.20.0.0 on terminal lines 1 through 5. Because the vty keyword is omitted from the line command, the line numbers 1 through 5 are absolute line numbers.
access-list 10 permit 172.20.0.0 0.0.255.255line 1 5access-class 10 outWhere to Go Next
You can further secure a vty by configuring a password with the password line configuration command. See the password (line configuration) command in the Cisco IOS Security Command Reference.
Additional References
The following sections provide references related to Controlling Access to a Virtual Terminal Line.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Controlling Access to a Virtual Terminal Line
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
