1.6.2 Restrict VTY Access


VTY access can be restricted via access-lists to limit from which the source addresses a management session to the device can be established.

VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.


Define ACLs which match the allowed sources. To restrict access of incoming or outgoing connections over IPv4 and IPv6, the IPv4 access list and IPv6 access list must share the same name:

ipv4 access-list ACL-VTY-IN
10 permit ipv4 any
1000 deny ipv4 any any log icmp-off
ipv6 access-list ACL-VTY-IN
10 permit ipv6 2001:db8::/64 any
1000 deny any any log icmp-off

Apply the ACL on the line template:

vty-pool default 0 4 line-template default
line default
access-class ingress ACL-VTY-IN

Alternatively you can implement restrictions on the SSH Server which allows both IPv4 and IPv6. Note that SSH could be also used for Netconf, so the ACL might need to include additional sources which do not apply for VTY access only.

ssh server ipv4 access-list ACL-VTY-IN ipv6 access-list ACL-VTY-IN


You can potentially lock yourself out, we recommend using commit confirmed when implementing the changes.

Using VTY lines without access-lists opens up the attack surface because any source IP can establish a connection to the device. This could be exploited by an attacker to create DoS condition.

See Also


Item Details


References: 800-53|AC-17(3), 800-53|SI-7, CSCv7|11.7

Plugin: Cisco

Control ID: 25c6b4e7efa358a76c019d726a84f6b43c924af10a50150c59bd88cd3e3741b9