200-101 · Question #164
Unauthorized users have used Telnet to gain access to a company router. The network administrator wants to configure and apply an access list to allow Telnet access to the router, but only from the ne
The correct answer is B. access-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 in. To restrict Telnet access to a router's VTY lines to a single IP address, a standard ACL must be applied to the VTY lines using the 'access-class' command, not 'ip access-group'.
Question
Exhibit
Options
- Aaccess-list 101 permit tcp any host 172.16.3.3 eq telnet interface s0/0 ip access-group 101 in
- Baccess-list 3 permit host 172.16.3.3 line vty 0 4 access-class 3 in
- Caccess-list 101 permit tcp any host 172.16.3.3 eq telnet access-list 101 permit ip any any interface s0/0 ip access-group 101 in
- Daccess-list 3 permit host 172.16.3.3 line vty 0 4 ip access-group 3 in
How the community answered
(41 responses)- A7% (3)
- B71% (29)
- C17% (7)
- D5% (2)
Why each option
To restrict Telnet access to a router's VTY lines to a single IP address, a standard ACL must be applied to the VTY lines using the 'access-class' command, not 'ip access-group'.
Applying an extended ACL to a physical interface (s0/0) with 'ip access-group' affects all traffic transiting that interface, not just Telnet to the router itself, and would not restrict VTY access from other interfaces.
A standard ACL (number 3) permitting only host 172.16.3.3 implicitly denies all other sources. Applying it to VTY lines 0-4 with 'access-class 3 in' is the correct IOS syntax for filtering inbound Telnet connections to the router's virtual terminal lines, ensuring only that host can connect.
Although the ACL logic is partly correct, applying it to a physical interface with 'ip access-group' does not restrict VTY access from all interfaces and could block transit traffic unnecessarily.
The 'ip access-group' command is used on physical interfaces and is not valid syntax on VTY lines; the correct command for VTY line filtering is 'access-class'.
Concept tested: VTY access control using access-class on router
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.
