Differences between current version and previous revision of CiscoBestPractices.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Tuesday, September 14, 2004 2:22:15 pm | by LindsayDruett | |
| Older page: | version 2 | Last edited on Tuesday, September 14, 2004 10:38:35 am | by LindsayDruett | Revert |
@@ -62,7 +62,31 @@
Always a good idea to allow local login when allowing tacacs or radius login. If you don't allow local login and the radius or tacacs server either fails or can't be seen by the Cisco device, you will be locked out.
----
+!!VTY Access Control (and enabling SSH)
+
+Depending on the device, it will either allow 5 VTY sessions or 15 VTY sessions. Normally routers will allow 5 VTY sessions whereas the Catalyst switches will allow 15 VTY sessions. The best way to find out is to do the following...
+
+ router(config)#line vty 0 ?
+ <1-4> Last Line number
+ <cr>
+
+ router(config)#line vty 0
+
+In this example there are 5 VTY sessions (0-4). With the following examples, we will work with 5 VTY sessions.%%%
+%%%
+To control access to the VTY sessions is done using access-lists, both named and numbered access-lists can be used. The numbered access-lists can be standard (1-99), extended (100-199), and expanded (1300-2699). The named access-lists is not supported on all IOS images.
+
+On more recent versions of IOS, __remark__ has also been included with __permit__ and __deny__. If the IOS version supports __remark__, it's worthwhile using it, if not so be it.
+
+ access-list 101 remark ACLs for VTY Access
+ access-list 101 permit ip <<first authorised network address>> <<wildcard-mask>> any
+ access-list 101 permit ip <<second authorised network address>> <<wildcard-mask>> any
+ access-list 101 permit ip host <<authorised host>> any
+ access-list 101 deny ip any any
+ !
+ line vty 0 4
+ access-class 101 in
----
CategoryBestPractices
