Restricting Telnet (VTY) access using a standard ACL: Which sequence correctly permits only host 172.16.1.1 to use Telnet/SSH to the router by applying a standard ACL to the VTY lines (inbound)?
-
ALab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line con 0 Lab_A(config-line)#ip access-group 10 in
-
BLab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 out
-
CLab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 in
-
DLab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#ip access-group 10 in
Answer
Correct Answer: Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 in
Explanation
Introduction / Context:Remote administrative access to a router via Telnet or SSH terminates on VTY lines, not on physical interfaces. To restrict who can connect, apply a standard ACL to the VTYs using the access-class command in the inbound direction. This is distinct from ip access-group, which applies ACLs to routed traffic on interfaces.
Given Data / Assumptions:
- Only 172.16.1.1 should be allowed remote login.
- We are configuring VTY lines 0 through 4.
- Direction is inbound (connections coming into the VTY).
Concept / Approach:
Create a standard ACL that permits the allowed host (and optionally denies all others). Then, under line vty 0 4, apply it with access-class 10 in. This filters management-plane access attempting to reach the VTYs. It does not filter transit data traffic.
Step-by-Step Solution:
Define ACL: access-list 10 permit 172.16.1.1Enter lines: line vty 0 4Bind ACL: access-class 10 inAdd authentication and transport: login local, transport input sshVerification / Alternative check:
Attempt a Telnet/SSH from 172.16.1.1 (should succeed) and from another host (should fail). Use show running-config | section line vty to confirm the binding.
Why Other Options Are Wrong:
A configures the console line, not VTY.
B applies the ACL in the outbound direction on VTY, which is not how we restrict incoming sessions.
D uses ip access-group on VTYs, which is invalid; that command is for interfaces.
Common Pitfalls:
Confusing access-class (VTY) with access-group (interfaces); forgetting the implicit deny; not adding a default deny after specific permits if the intent is “only these sources.”
Final Answer:
Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 in