Telnet in - How to restrict?

Hi folks,

From a technical standpoint, what's the difference between restricting telnet into a device using an access-class (under its vty lines) and deploying an access-group (to its interfaces)?





  • Kami,

    ACL applied to VTY line, will only filter telnet traffic destined to that particular router.  ACL applied on interface can filter telnet packets transiting that router. In other words, if you apply to VTY line, you dont have to worry about allowing protocol specific traffic like you would if you apply to incoming interface.


    hope this makes sense.


  • Sorry mate for my brief question...didnt explain some points, I meant an ACL with proper source and destination like an ACL with the destination address of all my local IP addresses...obviously this one does not hit by any transiting telnet traffic.





  • From technical stand point there should be no difference .... if you have both applied, interface ACL will be hit first.


  • True regarding inbound traffic but what about outbound? 

    What if you want block outbound telnet traffic?  Line vty 0 4, access-class 1 out will take care of that.

    The only other non-technical issue is that with "Line vty 0 4, access-class 1" you get to use a standard ACL.  I like to save a few brain cycles.

  • Hmm ... not sure about outbound traffic (while testing it wasnt blocking anything) and ACL in physical interface will not block localy originated traffic (only transit or policy-routed).

  • Applying an access-class outbound on the VTY lines will affect outbound telnet traffic generated from an active VTY session.

    An ACL applied outbound on an interface will affect transit traffic.  But with some additional configuration, I think you can have the locally-generated telnet traffic appear as transit and then processed by the ACL.


  • Jeff, thanks for the clarification.  access-class out turns your router in the "hotel california"  you can telnet in but you can NOT leave.

    Now in the stupid router tricks category...You could kill locally generated telnet with local PBR.


    ip local policy route-map TELNET

    ip access-list extended TELNET
     permit tcp any any eq telnet

    route-map TELNET permit
    match ip address TELNET
    set ip next-hop               <---- Loop0

    access-list 100 deny tcp any any eq tel
    access-list 100 permit

    interface s0/0/1
    ip address
    ip access-group 100 out


    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/48 ms
    Trying ...
    % Destination unreachable; gateway or host down

    Enter configuration commands, one per line.  End with CNTL/Z.
    R1(config)#no ip local policy route-map TELNET
    Trying ... Open

    Password required, but none set

    Jun 29 21:33:58.734: %SYS-5-CONFIG_I: Configured from console by console
    [Connection to closed by foreign host]

Sign In or Register to comment.