As an architect, I spend a lot of time in PowerPoint, Smartsheet and Webex so I relish opportunities to jump in the lab and do some hands-on work.
The question that drove me into the lab today: "Does an inbound access-class on a router VTY affect the ability to establish outbound connections (as in the ability to ssh to another router?). The hamster jumped in the mental wheel in my head and the questions flooded in:
- This as a simple question with a simple response -- No!
- Wait - interface access-lists need to account for traffic in both directions. Does the same hold true for VTY access classes?.
- Well, vty access-classes are about session control and not traffic control. Right?
- But what happens when you apply an extended ACL with protocols specified? Does that work differently from standard ACLs?
- If I test with telnet, will that give the same results at SSH? Spinning up a Cisco Modeling Lab instance in Cisco dCloud let me run through the answer. More importantly, getting back to the basics and remember to not assume anything was a great exercise -- things like: - SSH does not work on an IOS router until you generate a key of at least 1024 in length...
- names access lists are under the 'ip' command and not under 'access-list'.. ugh
- start simple, validate ability to operate, then build complexity from there.
- and most importantly, things don't always work the way they seem.
Days like this are when I love my job the most -- I get to work with people and I get to work with technology!
And for those wondering about the answer to the question: Applying an inbound access-class to a VTY does not affect outbound connections. You don't have to account for the return traffic in the ACL.
(Hmmmm - I wonder if that is only specific to the IOS version I tested with - maybe a bug? Do ASR9K's on IOX-XR or Nexus devices on NX-OS work differently? How about Catalyst switches? Argh - I need the hamster to get off the wheel as I have other work to do!)
Comments