Preventing VTY Access from all default gateways

Showrun.txt (2.0 KB)
We would like to prevent any user being able to point an SSH client ( Putty, Teraterm etc ) from pointing this to the IP address of their Default Gateway. and gettting to the router login page. This means only the TACACS username and password are the first and last line of defence. We only want the Management VLAN to allow access.

This seems fairly easy to do with Telnet as I can setup a access-list on the VTY Terminals or use CoPP ( Control Plane )

Basically on the Distribution Switches we only want a login responce from the Management VLAN address ( Which hopefully is only known by us and not general users ) to respond.
Also there seems to be different versions of control plane - some use the control-plane host command which doesn’t work for me also the Class-map ‘Drop’ command doesn’t work.


I think you might need to do the following:

Router(config)#access-list 23 permit - This is the IP range of the management VLAN
Router(config)#line vty 0 15
Router(config-line)#access-class 23 in

Hello John

Mark is correct here. You can even create an access list allowing only specific IP addresses instead of ranges. For example:

ip access-list standard admin

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 15
Router(config-line)#access-class admin in

In this way, you can avoid using CoPP all together.

I hope this was helpful!