Document ID: 116101
Updated: May 31, 2013
Contributed by Sandeep Singh and Shashank Singh, Cisco TAC Engineers.
Introduction
This document describes the supported ACL structure that controls telnet access to a switch.
Problem
The user wants to allow telnet to the switch from just one host in the network. For example, only host 10.0.0.2 should be able to telnet to the switch IP 10.0.0.1.
Here is an example of a configuration that does not work:
ip access-list extended 100
access-list permit tcp host 10.0.0.2 host 10.0.0.1 eq telnet
line vty 0 4
access-class 100 in
transport input telnet
login
password cisco
Solution
By design, access-class only matches the source IP address of the access-list. Access-class allows access to the router as a whole, not access to the router only on a particular router address.
Here is an example of a configuration that works:
ip access-list extended 100
access-list permit tcp host 10.0.0.2 any eq telnet
line vty 0 4
access-class 100 in
transport input telnet
login
password cisco
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.