In an in-band network, it is important to control the access to the management system (CLI). You can control or limit the Telnet or SSH connections to switch management by applying access lists on VTY lines.
To limit access to the switch management, create IPv4 or IPv6 access lists with permit or deny filters. Enter VTY mode using the line vty command in configuration mode and apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command.
OS9 configuration
Below is example of a standard ACL that will allow access from the 192.168.1.0 subnet. Provide a description. Set an IP address filter and apply the ACL to VTY lines.
OS9(conf)# ip access-list standard ALLOW-NET192
OS9(config-std-nacl)# description Allow 192.168.1 IP addresses
OS9(config-std-nacl)# seq 5 permit 192.168.1.0/24
OS9(config-std-nacl)# seq 20 deny any log
OS9(config-std-nacl)# exit
OS9(conf)# line vty 0 9
OS9(config-line-vty)# access-class ALLOW-NET192 ipv4
OS10EE configuration
Below is example of an ACL that will allow access from the 192.168.1.0 subnet. Provide a description. Set an IP address filter and apply the ACL to VTY lines.
OS10(config)# ip access-list ALLOW-NET192
OS10(config-ipv4-acl)# description “Allow 192.168.1 IP addresses”
OS10(config-ipv4-acl)# permit ip 192.168.1.0 255.255.255.0 any
OS10(config-ipv4-acl)# deny ip any any
OS10(config-ipv4-acl)# exit
OS10(config)# line vty
OS10(config-line-vty)# ip access-class ALLOW-NET192