Cisco LogoOn most networks, there is a subset of IP addresses assigned to "management" hosts. These hosts might be the workstations of network administrators or monitoring servers. One of the keys to network security is restricting who has access to the device. Generally, we think of access restriction in terms of usernames and passwords, groups and security contexts. These methods do not go far enough in preventing attack.

Brute force password attempts happen on network devices all day every day. All it takes is one weak password for your device to be compromised. If we lock out all machines that should not be attempting to access the system, we've done a great deal to prevent maliciousness.

We'll use an access-list to define a block of IPs that should be allowed to access our Cisco router (or IOS-based Catalyst switch) and then apply it to our virtual terminal (VTY) lines.

access-list 9 remark Management IPs
access-list 9 permit 172.16.9.0 0.0.0.15
access-list 9 permit host 172.16.9.99
access-list 9 deny   any

We're able to use a standard access-list rather than an extended access-list because we're not concerned with matching sources and destinations. We've allowed the first 16 consecutive IPs from 172.16.9.0 through 172.16.9.15. By way of example, we'll assume these are the IP addresses of the hosts used by our network administrators. A single host at 172.16.9.99 is also permitted to access the system. A monitoring server, perhaps. Finally, we deny access by all other hosts.

Now, apply that access-list to our virtual terminal lines to ensure unwanted hosts do not attempt to access the device.

line vty 0 4
 access-class 9 in

That's all it takes. As long as the host trying to access the system belongs to one of the permit statements in our access-list, they should be granted the opportunity to enter a password. If they are not allowed to access the system, they should see something similar to the following:

Baldr:~ slap$ telnet SLAP1
 Trying 192.168.9.1...
 telnet: connect to address 192.168.9.1: Connection refused
 telnet: Unable to connect to remote host

Perfect! Access denied.

Further Reading