Controlling VTY (Telnet) Access
You’ll apparently accept a difficult time aggravating to stop users from telnetting to a ample router
because any alive interface on a router is fair bold for VTY access. You could try to create
an continued IP admission account that banned Telnet admission to every IP abode on the router. But if you
did that, you’d accept to administer it entering on every interface, and that absolutely wouldn’t calibration well
to a ample router with dozens, alike hundreds, of interfaces, would it? Here’s a abundant better
solution: use a accepted IP admission account to ascendancy admission to the VTY curve themselves.
Why does this work? Well, back you administer an admission account to the VTY lines, you don’t need
to specify the Telnet protocol, back admission to the VTY implies terminal access. You additionally don’t
need to specify a destination address, back it absolutely doesn’t amount which interface abode the
user acclimated as a ambition for the Telnet session. You absolutely charge alone to ascendancy area the user is
coming from—their antecedent IP address.
To accomplish this function, chase these steps:
1. Create a accepted IP admission account that permits alone the host or hosts you appetite to be able to
telnet into the routers.
2. Administer the admission account to the VTY band with the access-class command. Here in Table 7.3
is the command you can configure on the VTY lines:
Here is an archetype of acceptance alone host 172.16.10.3 to telnet into a router:
Lab_A(config)#access-list 50 admittance 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
Because of the adumbrated abjure any at the end of the list, the admission account stops any host from
telnetting into the router except the host 172.16.10.3, behindhand of which alone IP address
on the router is acclimated as a target.
Assigning and Admission Account to a VTY Line
Command Meaning
access-class Places an admission account on the VTY curve of a device