Protecting CLI Access 1

By certskills May 13, 2016 09:05


Routers support a method to filter incoming Telnet and SSH connections to that router. That method uses ACLs, but not to filter packets coming in each and every interface, but with a configuration method tied to the vty lines that support Telnet and SSH connections. Today’s lab lets you practice configuring and enabling this feature.



Protect access to the CLI of all four routers in the topology, but without using the ip access-group command to enable an ACL on an interface. That is, protect access to the vty lines. The specific rules for this lab are:

  • Protect SSH and Telnet access into all routers with these criteria:
    • Use the same matching logic for all routers
    • Allow hosts from the management subnet (with the PC labelled “M”), and from that subnet only
    • Use standard numbered ACL 1
  • Assumptions:
    • All device interfaces shown in the lab are up and working
    • IP routing is configured and working correctly
    • With the initial configuration, users at all PCs in the figure could could successfully Telnet or SSH to each router, using username/password device/access

Figure 1: Management Access

Initial Configuration

Examples 1, 2, 3 and 4 show the beginning configuration state of R1, R2, R3 and R4.

Example 1: R1 Config


Example 2: R2 Config


Example 3: R3 Config


Example 4: R4 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with CML/VIRL or real gear, you can attempt to access (via telnet) any of the routers from any device other then the Manager; they should all be refused. If you want to test with SSH on CML/VIRL using the included file you will need to first run the crypto key generate rsa modulus 2048 command to generate the RSA key-pair on each router (this command is not saved as part of the configuration file). The SSH command to test from ubuntu is ssh -l device ip_address.


Do this Lab with Cisco’s CML (Formerly VIRL)

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.

Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.

This lab’s CML file!

This lab’s VIRL file!

The virl topology matches this lab topology exactly. The host info does as well.

Host device info:

This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.


IP Address










Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: EIGRPv6 for IPv6 #2
Answers: Protecting CLI Access 1
By certskills May 13, 2016 09:05
Write a comment


  1. Varun March 3, 11:28

    In the initial configuration,”ip ssh ver 2″ command is there but ssh has not been enabled. Would this work?

    Reply to this comment
    • Wendell Odom March 6, 17:14

      Hey Varun,
      Yeah, the initial config is missing a “crypto key generate rsa” command. The SSH version is on by default, but it wouldn’t work without the key. I’ll update the lab. Thanks for letting me know!

      Reply to this comment
    • Wendell Odom March 6, 17:17

      Oh yeah… I had already addessed this in the lab. The crypto key command doesn’t display in the output of “show run”. See the section on this page about testing in lab. It tells you there to also issue the “crypto key” command. So… nothing else to change in the lab! Hope this helps.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.