How to create and configure Access Control Lists for vty lines (telnet and ssh)

Before continuing, refer Introduction to Access Control Lists lesson , if you are not familiar with Access Contol Lists.

Refer Standard Access Control Lists lesson if you are not familiar not familiar with Standard Access Control configuration IOS commands.

Refer Extended Access Control Lists lesson if you are not familiar not familiar with Extended Access Control configuration IOS commands.

You must be familiar with TCP port numbers for important services. Click the following link to learn important TCP port numbers.

When a telnet or ssh connection is made to the router, the router associates this connection with a virtual terminal (VTY) line. Configuring access control to the VTY lines is important, because normally you require only the network administrators to make a telnet or ssh connection to the router.

To configure Standrad Access Control Lists (ACL) to your VTY lines (telnet or ssh) follow these steps.

Standard Access Control Lists (ACLs) for VTY lines (Telnet or SSH) - Lab Practice

The following diagram shows our Access Control Lists lab setup. We have three routers, three switches, six workstations and three servers connected as below. The host names, IP addresses and the interfaces of the routers are shown in diagram. The IP addresses of the workstations and the servers are also shown in the diagram.

CCNA ACL lab setup

The purpose of this lab is to allow telnet or SSH connection only from Workstation06 (IP address - 172.18.0.12/16) to Router03 using Standard Access Control List (ACL). Connect computers, switches and routers as shown in the figure. Configure the IP address and default gateway TCP/IP settings in all computers and servers. Configure the hostname, IP address and routing on three routers. Click the following link to learn more about configuring hostnames, IP addresses and Enhanced Interior Gateway Routing Protocol (EIGRP) in routers.

How to create a Standard Access Control List (ACL) using "access-list" IOS command to filter telnet traffic

To create a Standard Access Control List (ACL), to allow telnet or SSH connection only from Workstation06 (IP address - 172.18.0.12/16) (172.18.0.0/16 network) to Router03, we use the "access-list" IOS command from the global configuration mode of Router03, as shown below.

Router03>enable
Router03#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router03(config)#access-list 55 permit 172.18.0.12 0.0.0.0
Router03(config)#access-list 55 deny any
Router03(config)#exit
Router03#

The IOS command "access-list 55 permit 172.18.0.12 0.0.0.0" permit traffic from host 172.18.0.12.

The IOS command "access-list 55 deny any" deny any other traffic.

How to apply the Standard Access Control Lists (ACL) to router using "access-class" command to filter telnet or SSH traffic

The Standard Access Control List (ACL) created before can be applied to VTY lines to permit telnet or SSH traffic from only from 172.18.0.12, follow these steps.

Router03>enable
Router03#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router03(config)#line vty 0 4
Router03(config-line)#access-class 55 in
Router03(config-line)#exit
Router03(config)#exit
Router03#

<< How to create and configure Extended Access Control Lists (ACLs)

Named Access Control Lists (ACLs) >>

Like us on

Share on