ACL OVER VTY

OcNOS-RON : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : ACL OVER VTY

ACL OVER VTY

• When a telnet or ssh connection is made the OcNOS associates this connection with a virtual terminal (VTY) line. ACL over vty feature provides security for management features associated with vty.

Note: Refer to command reference section for limitation, default behavior, and not supported features.

Topology

Figure 21-33: ACL VTY Topology

VTY ACL Configuration

#configure terminal	Enter configure mode.
(config)#interface lo	Enter interface mode.
(config-if)#ip address 3.3.3.3/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 4.4.4.4/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 5.5.5.5/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 6.6.6.6/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 7.7.7.7/32 secondary	Assign the IPv4 secondary address.
(config-if)#exit	Exit interface mode.
(config)#ip access-list vty	Create loopback access list
(config-ip-acl)#10 permit tcp any host 3.3.3.3 eq telnet	Permit telnet session from any source with specific destination.
(config-ip-acl)#20 deny tcp any host 4.4.4.4 eq telnet	Deny telnet session from any source with specific destination.
(config-ip-acl)#30 permit tcp any host 5.5.5.5 eq ssh	Permit ssh session from any source with specific destination.
(config-ip-acl)#40 deny tcp any host 6.6.6.6 eq ssh	Deny ssh session from any source with specific destination.
(config-ip-acl)#50 deny udp any host 6.6.6.6 eq snmp	Deny udp from any source with specific destination.
(config-ip-acl)#60 deny udp any host 7.7.7.7 eq ntp	Deny udp from any source with specific destination.
(config-ip-acl)#exit	Exit interface acl mode
(config)#line vty	Enter interface vty mode
(config-all-line)#ip access-group vty in	Associate acl over
(config-if)#end	Exit interface mode
(config)#exit	Exit config mode

Validation

OcNOS#sh access-lists

IP access list vty

10 permit tcp any host 3.3.3.3 eq telnet [match=53]

20 deny tcp any host 4.4.4.4 eq telnet

30 permit tcp any host 5.5.5.5 eq ssh

40 deny tcp any host 6.6.6.6 eq ssh [match=4]

50 deny udp any host 6.6.6.6 eq snmp

60 deny udp any host 7.7.7.7 eq ntp

OcNOS#sh ip access-lists summary

IPV4 ACL vty

statistics enabled

Total ACEs Configured: 6

Configured on interfaces:

Active on interfaces:

Configured on line vty:

all vty lines - ingress

OcNOS#sh running-config ac

access-list aclmgr

OcNOS#sh running-config aclmgr

ip access-list vty

10 permit tcp any host 3.3.3.3 eq telnet

20 deny tcp any host 4.4.4.4 eq telnet

30 permit tcp any host 5.5.5.5 eq ssh

40 deny tcp any host 6.6.6.6 eq ssh

50 deny udp any host 6.6.6.6 eq snmp

60 deny udp any host 7.7.7.7 eq ntp

line vty

ip access-group vty in

Last modified date: 08/28/2023