Access list on VTY lines Cisco

Posted on 2010-01-07
Last Modified: 2012-06-27
OK can any one answer this for me.

I have a 4506 that I want to restrict the managment interface to only one IP address range.

the Switch is running as a Router for the network so have several VLAN interfaces with IP address which are acting as the Defaulte gate way for there respective subnets.

lets assuem i have the networks /24  nad   in each case the 4506 is assigned the .254 address which the PC's are suing as there default gate way.

Now I only want pcs in either network to be able to connect to the ip address from managment. it dosent mater what subnet they are in they must all use the above ip address.

I thought this would be simple

#ip access list extended managemnt
#permint ip any host log
#deny any any log
#line vty 1 - 15      (line 0 is used for non mangemnt purposes and does not accept ssh )
# access class managment in

I assumed that this would mean only packes sent to the address would be accepted in to the VTY line, every thing else would be dropped.

however this rule blocks all log on attempts from network and looking at the logs i can see the access lsit blocks the traffic becasue it sees the destination as

I can see why this might happen, but I want to knwo if there is a way around it.

rember i am not trying to restric who can manage the switch, just what IP address they must use. and it seems simpler to only allow one ip address and default deny the rest.

Any ideas?

Question by:Aaron Street
    LVL 9

    Expert Comment

    Can you post those logs?
    LVL 16

    Author Comment

    by:Aaron Street
    these are the switch logs.

    it seems that when it recves the packets it routes them  to self and the access lsit runs against that self address (

    Rathetr than the origianl destination address to which they where sent?

    if you use a PC on the network it runs ok
    Jan  7 15:41:11.012: %SEC-6-IPACCESSLOGP: list Restrict_Managment denied tcp ->, 1 packet
    Jan  7 15:41:54.451: %SEC-6-IPACCESSLOGP: list Restrict_Managment denied tcp ->, 1 packet
    Ip access list extended Restricted_Managment
    permint ip any host log

    Open in new window


    Expert Comment

    Why not create a simple access list instead of extended and attach it on vty interfaces?
    People usually restrict access to vty/con/aux with simple access list where you for example just permit one ip address and the rest are blocked by deny on the bottom of the access list.
    LVL 16

    Author Comment

    by:Aaron Street
    Hi Flanger

    i know how its usual done,

    But I don't want to restrict from where you can access the mangagment interface, but what one you are trying to get to

    by default all uses are blocked from getting on to the network, the routers access lists block it.

    but admins can log on to any remote network and open up a hole to the network, (I know this is not a standard  method to do security)

    however if I could bock all access to the vty lines unless it was destination to the 192.168.20.x interface then I could make management much simpler. rather than haviing to manualy go to each routed interface and applying access lists there. one simple accces list on each device would give me the security i want.

    LVL 16

    Accepted Solution

    For any one interested you can do this by using the command

    #control-plane host
    #management-interface f0/1 allow SSH

    this limits what interface can recive different types of managment traffic.

    I need to check it in a live system but reading through this seems to do the trick

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now