Guest

IP Application Services

Telnet Works Only If the Destination Host Is Specified as "Any" in the Extended Access Lists

Document ID: 116101

Updated: May 31, 2013

Contributed by Sandeep Singh and Shashank Singh, Cisco TAC Engineers.

   Print

Introduction

This document describes the supported ACL structure that controls telnet access to a switch.

Problem

The user wants to allow telnet to the switch from just one host in the network. For example, only host 10.0.0.2 should be able to telnet to the switch IP 10.0.0.1.

Here is an example of a configuration that does not work:

ip access-list extended 100
access-list permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet

line vty 0 4
access-class 100 in
transport input telnet
login
password cisco

Solution

By design, access-class only matches the source IP address of the access-list. Access-class allows access to the router as a whole, not access to the router only on a particular router address.

Here is an example of a configuration that works:

ip access-list extended 100
access-list permit tcp host 10.0.0.2 any eq telnet

line vty 0 4
access-class 100 in
transport input telnet
login
password cisco

Related Information

Updated: May 31, 2013
Document ID: 116101