Restricting virtual terminal access

Restricting virtual terminal access 

 11.2.6

This page will explain how ACLs are created for virtual ports.

Standard and extended access lists apply to packets that travel through a router. They are not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router initiated Telnet sessions, by default.

Just as there are physical ports or interfaces, such as Fa0/0 and S0/0 on the router, there are also virtual ports. These virtual ports are called vty lines. There are five vty lines, which are numbered 0 through 4, as shown in Figure . For security purposes, users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router.

The purpose of restricted vty access is increased network security. The Telnet protocol can also be used to create a nonphysical vty connection to the router. There is only one type of vty access list. Identical restrictions should be placed on all vty lines since it is not possible to control the line on which a user will connect.

The process to create the vty access list is the same as described for an interface. However, applying the ACL to a terminal line requires the access-class command instead of the access-group command.

The following should be considered when configuring access lists on vty lines:

• A name or number can be used to control access to an interface.
• Only numbered access lists can be applied to virtual lines.
• Identical restrictions should be set on all the virtual terminal lines, because a user can attempt to connect to any of them.

In the second Lab Activity, students will use ACLs to control IP traffic.

This page concludes this lesson. The next page will summarize the main points from this module.