When the router attempts to authenticate a user, it always selects the first vty line
that has an access class that permits that user’s host. The vty line’s configuration
must authenticate the user to allow access. Otherwise, the user can never gain access.
Consequently, we recommend that you use identical authentication configurations
for all vtys that have the same access class list.
To set up access lists:
■ Associate the access list with inbound Telnet sessions.
host1(config)#line vty 12 15
host1(config-line)#access-class Management in
■ Configure an access list.
host1(config)#access-list Management permit ip 192.168.11.16 0.0.0.15 any
host1(config)#access-list Management permit ip 192.168.4.0 0.0.0.255
host1(config)#access-list Management deny ip any any
access-class in
■ Use to associate the access list with vty lines.
■ Example—This example sets the virtual terminal lines to which you want to
restrict access and specifies an access class to grant access to incoming requests.
host1(config)#line vty 12 15
host1(config-line)#access-class Management in
■ Use the no version to remove access restrictions.
■ See access-class in.
access-list
■ Use to configure an access list.
■ Example
host1(config)#access-list Management permit ip 192.168.11.16 0.0.0.15 any
■ Use the no version to remove the access list.
■ See access-list.
Secure System Administration with SSH
The system supports the SSH protocol version 2 as a secure alternative to Telnet for
system administration.
Secure System Administration with SSH ■ 435
Chapter 7: Passwords and Security
To Next Page
Loading...