What is VTY Telnet Access? How to Control VTY Telnet Access Explained with Examples

By | 9th November 2015

Active interfaces on a network router can be accesses by users on the network if not properly secured.  Users or Hackers might try  telnetting  the network router through the VTY access.

To stop this from happening, the best practice is for you to use a standard IP access list to limit telnet access to every network or IP address on the router.  Applying standard IP access list to the VTY lines eliminates the option of using telnet protocols and destination address since it does not matter which interface address a user or hacker is using as a target for the telnetting session.

Using standard IP access list to restrict VTY access enables you to define which IP addresses are allowed telnet access to the router EXEC process. You can control which workstation or network access your router with an ACL and an access-class statement to your VTY lines

You can also use extended access lists; don’t get me wrong, but that means you have to apply it inbound on every interface, imagine doing this on a large network with dozens if not hundreds of interfaces!

We use the network topology below as example:

control vty access

Below, we are going to create a standard IP access list that permits only a host (or hosts) to be able to telnet to the router R1, the command and configuration look like this:

R1#config t

R1(config)#access-list 10 permit

R1(config)#lines vty 0 4

R1(config-line)#access-lass 10 in

The above configuration simply means that only the IP address or host  is allowed to Telnet or access to the R1 router.

Access List Configuration Example

Extended ACLs Explained 


Access List Configuration Example

Applying Extended ACLs on Interfaces

Complex ACLs

How to Configure Switchport ACLs

Numbering and Naming ACLs

Reflective ACLs

Time Base ACLs

Troubleshooting ACLs Errors

Leave a Reply

Your email address will not be published. Required fields are marked *