Filter access to Cisco device with access lists

It`s well known that if you don`t create vty (virtual teletype) access to networking device you will not have it. On the other side, who need networking device without administrative access. This means that we must create administrative access, but then we need some kind of method to filter unwanted traffic to our devices.

Best method is to create standard access list and apply it to vty lines. For this tutorial i have created topology with three routers (Slide 1.) with IP addresses 192.168.100.n (n=Rn).

vty_access1

Slide 1.

On R1 I created vty access with following commands:

R1(config)#line vty 0 4
R1(config-line)#password cisco

Then I have created standard access list where I permitted traffic from 192.168.100.2 and all other traffic will be denied due to implicit rule:

R1(config)#access-list 1 permit 192.168.100.2

Next step is to apply access list to vty lines:

R1(config)#line vty 0 4
R1(config-line)#access-class 1 in

Now verification. I`ll try to establish telnet session from R2 (192.168.100.2) which is permitted by access list. You will se password prompt which means that session can be established.

R2#telnet 192.168.100.1
Trying 192.168.100.1 … Open

User Access Verification

Password:

Now I`ll try from R3 (192.168.100.3) which is implicitly denied by access list. You will notice message that connection is refused.

R3#telnet 192.168.100.1
Trying 192.168.100.1 …
% Connection refused by remote host

Done. Traffic is filtered.

I hope that this tutorial is informative to you and thank you for visiting this website.

Dejan Dzodan

Dejan Dzodan

IT professional for more then 15 years, mostly in financial institutions but with experience in ISP and retail. Proven in networking and overall infrastructure projects. Cisco instructor.

Leave a Reply

Your email address will not be published. Required fields are marked *


5 + 6 =