1.2.2 Restrict Access to VTY Sessions - VTY ACL


Restrict Management Access to trusted management stations and VLANs.


Exposing the management interface too broadly exposes that interface to MiTM (Monkey in the Middle) attacks as well as to credential stuffing attacks. The question 'should your receptionist have access to your core switch?' usually illustrates the need for this if there are any disagreements.


Not restricting access to the management interface has several risks:

exposes your interface to credential stuffing attacks from commodity malware (such as Mirai)

highlights your device as missing simple security remediations to even simple scans. This invites other attacks in addition to credential stuffing.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Create an access-list that defines the various trusted subnets and/or stations:

switch(config)# ip access-list ACL-MGT
switch(config-acl)# remark access-class ACL
switch(config-acl)# permit ip any
switch(config-acl)# deny ip any any log

It is suggested that all ACLs are commented to help self-document the configuration.
The last line in the ACL should read deny ip any any log to record all attempts to reach the management interface from unauthorized stations.
Apply the Access-Class to the VTY interface:

switch(config)# line vty
switch(config-line)# access-class ACL-MGT in

Default Value:

No access-class is applied by default

See Also


Item Details


References: 800-53|SC-3, 800-53|SC-7(15), CSCv7|11.6, CSCv7|11.7

Plugin: Cisco

Control ID: f586fa8bba2e062fa1ec5d21ade483f90147ccfbf8ddc8fc6769971ef6c19ebb