Using "rotary" to control vty access

I would like somebody to explain to me the process of a vty session being accepted in the "IP Services" lab under the "Controlling Virtual Terminal Line Access".

I understand that without the "rotary" group, I could control who accesses the vty lines on port 23. However, nobody could access the vty on port 3001. So, with just the access-list applied, R5 cannot access R4 on port 23. What is interesting is that it skips the 2nd line in the access-list (permit tcp any eq 3001) and it gets denied with the "deny ip any any".

How does the "rotary" command allow the telnet session to be accepted on port 3001? Why do you put in on vty 4? When the rotary command is applied, does it then take the access-group and accept any sessions allowed by the access-group?

I have so many questions about this one setup.


  • The rotary 1 command sets vty 4 to be part of rotary group 1. This could have been have been any of the vty lines, the choice is arbitrary. Once this is done this, it enables the base TCP port for rotary groups of 3000 for telnet. The 1 in the 3001 specifies rotary group 1. So if you had configured it for rotary 13, the port would have been 3013. Now with the access-class configured on the vty lines, incoming telnet sessions on port 23 are going to be allowed on vty 0 - 3 and for port 3001 it will be enabled on any lines that are part of the rotary group, which in this case is only vty 4.

    Here's a link to CCO where it's explained in much more detail:


Sign In or Register to comment.