ACL OVER Virtual Terminal (VTY)

When a Telnet/SSH/NetConf connection is established in the OcNOS, it associates the connection with a virtual terminal (VTY) line. The ACL over VTY feature provides security for management features associated with VTY.

Users can create Standard and Extended ACL rules and attach them to a virtual teletype (VTY) command line interface. These ACL rules are applied on both Management and Default virtual routing forwarding (VRFs).

OcNOS supports both IPv4 and IPv6 access lists for VTY lines, providing flexibility for network configurations.

Applying a standard ACL rule on a VTY line permits or denies only management access protocols such as SSH, Telnet, and SSH-Netconf protocols (port numbers 22,23,830)).

Extended ACL rules are applied as configured by the user, and it is not limited to management protocols only, unlike Standard ACLs.

When a user configures a rule with 'deny any any any' and attaches it to the VTY, it effectively blocks only the Telnet, SSH, and NetConf protocols on the control plane

For example, when a user configures a rule as below and attach them to VTY, If the deny ACL rule includes ’any’ value in protocol, only Telnet/SSH/SSH-NetConf protocols are denied.

Copy 
ip access-list ssh-access  
10 permit tcp 10.12.43.0/24 any eq ssh  
20 deny any any any

To deny any protocols other than Telnet/SSH/SSH-Netconf, create a deny rule with the specific protocol access on VTY. For example: To deny OSPF protocol from all the source and destination address, apply the rule, 10 deny ospf any any.

In general, the VTY ACLs are more specific to management protocols. Hence, the Extended ACL “any” rule translation is enhanced to allow management protocols as follows:

  • If the deny ACL rule includes any value in protocol, only Telnet/SSH/SSH-Netconf protocols are denied.
  • The permit ACL rule is unchanged.

Refer to the command reference section for limitations, default behavior, and unsupported features.

Topology

Figure 74. ACL VTY Topology

VTY ACL Configuration

#configure terminal

Enter configure mode.

(config)#interface lo

Enter interface mode.

(config-if)#ip address 3.3.3.3/32 secondary

Assign the IPv4 secondary address.

(config-if)# exit

Exit interface mode.

(config)#ip access-list vty

Create loopback access list

(config-ip-acl)# 10 permit tcp any host 3.3.3.3 eq telnet

Permit telnet session from any source with specific destination.

(config-ip-acl)#exit

Exit interface acl mode

(config)#line vty

Enter interface vty mode

(config-all-line)#ip access-group vty in

Associate acl over

(config-if)#exit

Exit interface mode

(config)#exit

Exit config mode

Validation

Copy 
OcNOS#sh access-lists
IP access list vty
       10 permit tcp any host 3.3.3.3 eq telnet
 
OcNOS#sh ip access-lists summary
IPV4 ACL vty
       statistics enabled
       Total ACEs Configured: 1
       Configured on interfaces:
       Active on interfaces:
       Configured on line vty:
       all vty lines - ingress
 
OcNOS#sh running-config access-list  
ip access-list vty
10 permit tcp any host 3.3.3.3 eq telnet 
!
line vty
ip access-group vty in

Implementation Examples

Copy 
OcNOS#show running-config aclmgr
ip access-list ssh-access
 10 permit tcp 10.12.43.0/24 any eq ssh
 20 deny tcp 10.12.33.0/24 any eq 6513
 30 deny any 10.12.34.0/24 any
 40 deny any any any
!
line vty
 ip access-group ssh-access in
 
#####iptables o/p######
 
root@OcNOS:~# iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.12.43.0/24        anywhere             tcp dpt:ssh 
DROP       tcp  --  10.12.33.0/24        anywhere             tcp dpt:tls_netconf
DROP       tcp  --  10.12.34.0/24        anywhere             multiport dports ssh,telnet,ssh_netconf
DROP       tcp  --  anywhere             anywhere             multiport dports ssh,telnet,ssh_netconf