Answers: Protecting CLI Access 1

By certskills May 16, 2016 09:10


How do you protect the CLI by preventing Telnet and SSH access, without matching every last interface IP address on a router? Today’s lab gives you a chance to explore and practice that configuration. Check the lab requirements in the first post, as usual, and then come back here.



Figure 1: Management Access

Example 1: R1 Config


Example 2: R2 Config


Example 3: R3 Config


Example 4: R4 Config



There are two different primary methods of preventing management (SSH and/or telnet) to devices. One uses an extended ACL to block packets entering the router, specifically packets using specific TCP ports (22 and 23, respectively). The other method also uses an ACL to match those same packets, but the configuration applies the ACL directly to the management virtual ports (VTY) using the access-class command. In fact, the ACL need not match port numbers, because the vty ports by their nature support Telnet and or SSH, rather than forwarding any and all IP packets. As a result, applying the ACL logic to the management virtual ports with the access-class command works well when the goal is to protect access to the device itself, rather than for packets destined to other devices.

For this lab you were tasked with blocking management access to all of the routers to all other devices except for hosts in the Manager’s subnet (as shown in the topology as ‘M’). The Manager device sits in subnet, a subnet that can be matched easily with a standard ACL. The requirements indicated to use the first available number ACL which for a standard ACL is 1; using these requirements the command to configure this would be access-list 1 permit

The requirements also specified to not use the ip access-group command, this forces you to use the access-class method of configuration. To apply ACL 1, use the access-class 1 in command inside VTY configuration mode. Each of these commands needs to be configured on all of the routers.

Protecting CLI Access 1
Cisco Revs CCNA R&S Cert (V3.0); Leans Forward
By certskills May 16, 2016 09:10
Write a comment


  1. CAMO December 5, 01:52

    I can see from the router config screenshots that standard access-list 1 permits the network to telnet/ssh into vty lines on the routers.

    My question is, why is the address used in the commentary? Shouldn’t that address match the router config screenshot?


    Reply to this comment
  2. almeidajoaodealmeida November 12, 08:36

    My concern is about, the number of vty lines 0 15, shouldn’t it be 0 4 ?

    Reply to this comment
    • certskills Author November 17, 13:37

      Yeah, in the lab uses 0 4, then the answers ought to as well.
      I changed the lab to use 0 15, by the way.
      Thanks for the note!

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.