Accessing a command line interface (CLI) using telnet or SSH is known as a virtual terminal line (VTY) session. A VTY ACL is used to control what Telnet and SSH users can access on the switch. The following steps provide you with control of the Telnet or SSH connections to the switch by applying ACLs on VTY lines:
- Create IP or IPv6 access lists with permit or deny filters.
- Enter the VTY mode by using the line vty command.
- Apply the access lists to the VTY line with the access-class command.
For example, an ACL may be created and named deny50, and then assigned to the VTY to disallow the IP address 10.1.1.5 any IP traffic into the switch. Since ACLs have an implicit deny
statement as the last rule, you must add a permit
statement to allow all other IP traffic.
OS10(config)# ip access-list deny50
OS10(config-ipv4-acl)# deny ip 10.1.1.5 255.255.255.255 any
OS10(config-ipv4-acl)# permit ip 10.1.1.0 255.255.255.0 any
OS10(config-ipv4-acl)# exit
To enter the VTY mode, run the line vty command while in configuration mode.
OS10(config)# line vty
OS10(config-line-vty)# ip access-class deny50
To view the VTY ACL configuration, run the line vty command while in configuration mode.
OS10(config-line-vty)# show configuration
!
line vty
ip access-class deny50
To verify the VTY ACL works, SSH or Telnet into the switch using the 10.1.1.5 IP address. The connection will fail. Changing the IP address to 10.1.1.6 or other address on the subnet will regain connectivity. Use other supported ACLs in the SmartFabric OS10 User Guide to customize the security on your network.