Courseiva
ACLLine Config

access-class [acl] in

Restricts incoming or outgoing Telnet/SSH access to a router line (VTY, AUX, console) by applying an ACL that filters source IP addresses.

Syntax·Line Config
access-class [acl] in

When to Use This Command

  • Limit remote management access to only specific admin workstations (e.g., 192.168.1.0/24).
  • Block all Telnet/SSH access from external networks while allowing internal management.
  • Apply different ACLs to different VTY lines for tiered administrative access.
  • Temporarily restrict remote access during maintenance windows.

Command Examples

Restrict VTY access to a specific subnet

line vty 0 4 access-class 10 in

The command is entered in line configuration mode. 'access-class 10 in' applies ACL 10 to filter incoming Telnet/SSH connections on VTY lines 0-4. No output is generated if successful.

Verify access-class applied to VTY lines

show line vty 0 4
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
     0 VTY              -    -      -    -   10       0       0     0/0       -
     1 VTY              -    -      -    -   10       0       0     0/0       -
     2 VTY              -    -      -    -   10       0       0     0/0       -
     3 VTY              -    -      -    -   10       0       0     0/0       -
     4 VTY              -    -      -    -   10       0       0     0/0       -

The 'AccI' column shows the inbound access-class number applied. Here, '10' is listed for all VTY lines, confirming the ACL is active. 'AccO' would show outbound ACL if configured.

Understanding the Output

The 'show line' command displays line parameters. The 'AccI' field indicates the inbound access-class ACL number. If blank or '0', no ACL is applied. A valid ACL number (1-99, 100-199, 1300-2699) means filtering is active. Verify that the ACL exists and permits desired sources; otherwise, all connections are denied by implicit deny.

CCNA Exam Tips

1.

Remember that 'access-class' is applied to lines (VTY, AUX, console), while 'access-group' is applied to interfaces.

2.

The implicit deny at the end of an ACL will block all traffic not explicitly permitted; always include a permit statement for allowed sources.

3.

CCNA may test that 'access-class' only filters incoming connections when 'in' is specified; 'out' filters outgoing connections (rarely used).

4.

You can apply different ACLs to different VTY line ranges (e.g., VTY 0-4 vs VTY 5-15) for tiered access.

Common Mistakes

Applying 'access-class' to an interface instead of a line — use 'access-group' for interfaces.

Forgetting to create the ACL before applying it, resulting in implicit deny blocking all access.

Using 'access-class' without specifying 'in' or 'out' — defaults to 'in', but best practice is to be explicit.

Related Commands

line vty 0 4

Enters line configuration mode for virtual terminal (VTY) lines 0 through 4 to configure remote access settings like Telnet/SSH, ACLs, and timeout parameters.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show line

Displays line configuration and status information for console, auxiliary, and vty lines, used to verify line settings and monitor user connections.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions