Chapter 11: Controlling Traffic and Switch Access 183
Section 11-6
Switch (config-line)# login authentication consoleport
Switch (config-line)# aaa authentication login consoleport tacacs+ enable
Switch (config-line)# exit
Switch (config)# tacacs-server host 192.168.1.8
Switch (config)# tacacs-server key abc123
11-6: Access Class
â– To restrict incoming and outgoing connections between a particular virtual terminal
line.
â– By applying an access list to an inbound vty, you can control who can access the
lines to a router.
â– By applying an access list to an outbound vty, you can control the destinations that
the lines from a router can reach.
Configuration
To control inbound access to vty, perform this task when you want to control access to a
vty coming into the router by using an access list.
1. Add addresses to the access list:
(global) access-list access-list-number deny {source [source-wildcard] | any}
[log]
To control which devices are allowed to access the switch, you must first configure
the access list. The address parameter specifies the IP address of the device that is
allowed to access the network. The mask parameter is an option. The mask is in dot-
ted-decimal format, where a 1 means match the address and a 0 means ignore the
address. For example, the address 172.16.101.1 with a mask of 0.0.0.255 would match
all the addresses that start with 172.16.101. The address of 172.16.101.1 with a mask
of 0.0.0.0 would match only the host 172.16.101.1. If you do not specify a mask, a
mask of all 0s or the host mask is used.
2. Assign access class to the Telnet Virtual Terminal Line:
line vty line-number [ending-line-number]
access-class access-list-number in
After you configure a list of devices that are permitted, use this command to enable
the permit list.
To Next Page
Loading...
Need help?
General