HomeCCNAHow to Configure Standard ACL to Secure a VTY Port

How to Configure Standard ACL to Secure a VTY Port

September 11, 2019
Asad Ijaz
2 min read
CCNA

All Cisco routers and switches cannot be accessed remotely via a terminal program like PuTTy and Tera Term by default. There are two methods of remote connectivity, either vty connection or SSH connection. The SSH provides encrypted connectivity, and Cisco recommends it for remote administration.

But, if your router’s Cisco IOS does not support SSH, we can use the vty connection. We can improve the security of administrative lines by restricting VTY port access.

VTY port access restriction allows you to define which IP addresses are allowed Telnet access to the router EXEC process. We can also control administrative workstations using an ACL and an access-class statement configured on VTY lines.

The access-class command configured in line configuration mode restricts connections between a particular VTY/SSH and the addresses in an access list. Both standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions by default.

Filtering Telnet traffic is usually considered an extended IP ACL function because it filters a higher-level protocol. However, a standard ACL can be used because the access-class command filters incoming or outgoing Telnet/SSH sessions by source address. The access-class command syntax is the following:

Router(config-line)# access-class <access-list-number> { in |out }

The parameter “in” restricts incoming connections, and “out” restricts outgoing connections between the addresses in the access list and the Cisco device. We can allow a range of addresses or specific hosts.

The example below allows a range of addresses to access VTY lines 0-4 to router 3. Network 192.168.1.0 is permitted in the ACL to access VTY lines 0-4, and all other networks are denied access to the VTY port.

How to Configure Standard ACL to Secure a VTY Port
How to Configure Standard ACL to Secure a VTY Port 3

Verifying a Standard ACL used to secure a VTY Port

After configuring and applying ACL to VTY lines, verifying it is working as expected is important. The figure below shows a computer attempting to access R3 using telnet. Access list 2 has been configured on the VTY lines on R3. PC0 cannot access R3, but the attempt of PC1 successfully accessed the R3.

This is the expected result as we configured it. We can also use the show access-lists command after PC0 and PC1’s telnet attempts. The ACL statistics will show the match between the permit and deny lines.

How to Configure Standard ACL to Secure a VTY Port
How to Configure Standard ACL to Secure a VTY Port 4
Avatar of Asad Ijaz

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

Related Articles

Design 148

Address Resolution Protocol (ARP) – Self-Assesment Quiz Test

February 25, 2025
DHCPREQUEST

Introduction to DHCPv4 – Exclusive Explanation

September 26, 2019

Explain Types of Spanning-Tree Protocols

October 24, 2019
Guidelines

How to Create an ACLs – General Guidelines

September 2, 2019

Static Mapping command Examination

December 25, 2020
Screenshot of a command prompt showing a tracert command tracing the route to 192.168.1.1 over 30 hops, with responses from Router Peshawar (10.1.1.1), Router Kanak (10.2.2.2), and subsequent request timeouts.

Traceroute and Tracert – 2 Important command

August 12, 2019
Close-up of Ethernet cables with text overlay about tagging Ethernet frames for VLAN identification.

VLAN Identification – Your Ultimate Guide to Master VLAN Tagging (Updated 2025)

August 13, 2019

Password Authentication Protocol (PAP)

May 15, 2020

Frame Control Field Format – Exclusive Explanation

December 14, 2019