Secure VTY Ports with a Standard IPv4 ACL
Secure VTY Ports with a Standard IPv4 ACL

Secure VTY Ports with a Standard IPv4 ACL

Secure VTY Ports with a Standard IPv4 ACL
5

Summary

This topic configure a standard ACL to secure VTY access. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 5 of the Cisco CCNA 3 course, for a better follow up of the course you can go to the CCNA 3 section to guide you through an order.

The access-class Command

ACLs typically filter incoming or outgoing traffic on an interface. However, an ACL can also be used to secure remote administrative access to a device using the vty lines.

Use the following two steps to secure remote administrative access to the vty lines:

  • Create an ACL to identify which administrative hosts should be allowed remote access.
  • Apply the ACL to incoming traffic on the vty lines.

Use the following command to apply an ACL to the vty lines:

R1(config-line)# access-class {access-list-number | access-list-name} { in | out }

The in keyword is the most commonly used option to filter incoming vty traffic. The out parameter filters outgoing vty traffic and is rarely applied.

The following should be considered when configuring access lists on vty lines:

  • Both named and numbered access lists can be applied to vty lines.
  • Identical restrictions should be set on all the vty lines, because a user can attempt to connect to any of them.

Secure VTY Access Example

The topology in the figure is used to demonstrate how to configure an ACL to filter vty traffic. In this example, only PC1 will be allowed to Telnet in to R1.

Note: Telnet is used here for demonstration purposes only. SSH should be used in a production environment.

Secure VTY Access Example
Secure VTY Access Example

To increase secure access, a username and password will be created, and the login local authentication method will be used on the vty lines. The command in the example creates a local database entry for a user ADMIN and password class.

A named standard ACL called ADMIN-HOST is created and identifies PC1. Notice that the deny any has been configured to track the number of times access has been denied.

The vty lines are configured to use the local database for authentication, permit Telnet traffic, and use the ADMIN-HOST ACL to restrict traffic.

R1(config)# username ADMIN secret class
R1(config)# ip access-list standard ADMIN-HOST
R1(config-std-nacl)# remark This ACL secures incoming vty lines
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input telnet
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
R1#

In a production environment, you would set the vty lines to only allow SSH, as shown in the example.

R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
R1#

Verify the VTY Port is Secured

After the ACL to restrict access to the vty lines is configured, it is important to verify that it is working as expected.

As shown in the figure, when PC1 Telnets to R1, the host will be prompted for a username and password before successfully accessing the command prompt.

PC1 Telnets to R1
PC1 Telnets to R1

This verifies that PC1 can access R1 for administrative purposes.

Next, we test the connection from PC2. As shown in this figure, when PC2 attempts to Telnet, the connection is refused.

Telnet connection is refused
Telnet connection is refused

To verify the ACL statistics, issue the show access-lists command. Notice the informational message displayed on the console regarding the admin user. An informational console message is also generated when a user exits the vty line.

The match in the permit line of the output is a result of a successful Telnet connection by PC1. The match in the deny statement is due to the failed attempt to create a Telnet connection by PC2, a device on the 192.168.11.0/24 network.

R1#
Oct  9 15:11:19.544: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.10.10] [localport: 23] at 15:11:19 UTC Wed Oct 9 2019
R1# show access-lists
Standard IP access list ADMIN-HOST
    10 permit 192.168.10.10  (2 matches) 
    20 deny   any  (2 matches) 
R1#

Syntax Checker – Secure the VTY Ports

Secure the vty lines for remote administrative access.

Secure VTY Access Example
Secure VTY Access Example

Create a local database entry for the name ADMIN and secret class.

R1(config)#username ADMIN secret class

Create a named standard ACL called ADMIN-HOST.

R1(config)#ip access-list standard ADMIN-HOST

Create a permit ACE for the host with IP address 192.168.10.10.

R1(config-std-nacl)#permit host 192.168.10.10

Next, add the implicit deny any and return to global configuration mode.

R1(config-std-nacl)#deny any
R1(config-std-nacl)#exit

Enter vty configuration mode to configure the five vty lines (i.e., 0 – 4).

R1(config)#line vty 0 4

Use the login local method for authentication and permit Telnet traffic.

R1(config-line)#login local
R1(config-line)#transport input telnet

Restrict inbound access to PC1 only using the access-class command and the named ACL ADMIN-HOST and return to privileged EXEC mode.

R1(config-line)#access-class ADMIN-HOST in
R1(config-line)#end

PC1 attempted to Telnet to R1 and was successful. PC2 attempted and was unsuccessful. Verify the ACL statistics to see if the ACLs are working as expected.

R1#show access-lists
Standard IP access list ADMIN-HOST
    10 permit 192.168.10.10 (2 matches)
    20 deny   any (2 matches)

You have successfully modified an IPv4 numbered ACL on R1.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

More Goodies
Device Security CCNA
Device Security