Using Named ACLs for VTY access

Cisco allows use of extended and named access lists for filtering access to VTY lines. However, still unsupported is the ability to specify destination addresses (ie, the ability to limit VTY access to specific management IP addresses). The destination portion of the ACL needs to be set to ‘any’.

Example named ACL for limiting VTY access from specific subnets over ssh. This also allows us to log rejected connected attempts

ip access-list extended vty.access
 permit tcp 10.10.250.0 0.0.0.255 any eq ssh
 deny tcp any any log

line vty 0 4
 access-class vty.access in