ACL on Router Console Port

Are you sure it was the console port and not the vty lines?

Doan

Yes, the console port as well as the vty lines.

thanks

online

How does a console port detect an ip address? It is out-of-band.

Doan

That was exactly my point. I can't see how it would have any effect on a serial line connection.

Ok, I think they meant applying it to the outbound direction; that way you limit where they can get to even when they have console access.

Doan

You can't apply an inbound ACL on a console port since it's RS232 signals. I suppose you can put an ACL on the terminal server connected to the console port. Perhaps that's what they meant?

Or perhaps an outbound ACL to limit where you could go once you consoled in.

Doan

May be worth re-reading the way ACLs work, and if they affect traffic generated by the router itself.

As Hansang said, the console is NOT IP so an ACL on the console is not possible. The outbound ACL to control traffic would have to be on all the other interfaces, and would not work as traffic would be locally generated. To control telnet access *from* the router you would need an *INBOUND* ACL to block the responses.

Hansang said nothing about an outbound ACL. I tested it on a live router and it worked just as I understood it:

router#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

• 0 CTY - - - 2 101 0 22 0/0

router#telnet xxx.xxx.xxx.xxx Trying xxx.xxx.xxx.xxx % Connections to that host not permitted from this terminal

Perhaps you can point me to a link where it says otherwise.

Thanks,

Doan