From a technical standpoint, what's the difference between restricting telnet into a device using an access-class (under its vty lines) and deploying an access-group (to its interfaces)?
ACL applied to VTY line, will only filter telnet traffic destined to that particular router. ACL applied on interface can filter telnet packets transiting that router. In other words, if you apply to VTY line, you dont have to worry about allowing protocol specific traffic like you would if you apply to incoming interface.
hope this makes sense.
Sorry mate for my brief question...didnt explain some points, I meant an ACL with proper source and destination like an ACL with the destination address of all my local IP addresses...obviously this one does not hit by any transiting telnet traffic.
From technical stand point there should be no difference .... if you have both applied, interface ACL will be hit first.
True regarding inbound traffic but what about outbound?
What if you want block outbound telnet traffic? Line vty 0 4, access-class 1 out will take care of that.
The only other non-technical issue is that with "Line vty 0 4, access-class 1" you get to use a standard ACL. I like to save a few brain cycles.
Hmm ... not sure about outbound traffic (while testing it wasnt blocking anything) and ACL in physical interface will not block localy originated traffic (only transit or policy-routed).
Applying an access-class outbound on the VTY lines will affect outbound telnet traffic generated from an active VTY session.
An ACL applied outbound on an interface will affect transit traffic. But with some additional configuration, I think you can have the locally-generated telnet traffic appear as transit and then processed by the ACL.
Jeff, thanks for the clarification. access-class out turns your router in the "hotel california" you can telnet in but you can NOT leave.Now in the stupid router tricks category...You could kill locally generated telnet with local PBR.R1ip local policy route-map TELNETip access-list extended TELNET permit tcp any any eq telnetroute-map TELNET permitmatch ip address TELNETset ip next-hop 22.214.171.124 <---- Loop0access-list 100 deny tcp any any eq telaccess-list 100 permitinterface s0/0/1ip address 126.96.36.199 255.255.255.0ip access-group 100 outR1#p 188.8.131.52 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/48 msR1#telnet 220.127.116.11Trying 18.104.22.168 ...% Destination unreachable; gateway or host downR1#ct Enter configuration commands, one per line. End with CNTL/Z.R1(config)#no ip local policy route-map TELNETR1(config)#exitR1#telnet 22.214.171.124Trying 126.96.36.199 ... OpenPassword required, but none setJun 29 21:33:58.734: %SYS-5-CONFIG_I: Configured from console by console[Connection to 188.8.131.52 closed by foreign host]