9-2z If no ACL is configured on the VTY user interface, users are not controlled when establishing aTelnet connection using this user interface.z If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets forestablishing a Telnet connection match the ACL rule configured on the VTY user interface, theconnection will be permitted or denied according to the ACL rule; if not, the connection will bedenied directly.Controlling Telnet Users by ACLControlling Telnet users by ACL is achieved by the following two ways:z inbound: Applies the ACL to the users Telnetting to the local switch through the VTY userinterface.z outbound: Applies the ACL to the users Telnetting to other devices through the current userinterface. This keyword is unavailable to Layer 2 ACLs.You can configure the following three types of ACLs as needed:Table 9-2 ACL categoriesCategory ACL number Matching criteriaBasic ACL 2000 to 2999 Source IP addressAdvanced ACL 3000 to 3999 Source IP address anddestination IP addressLayer 2 ACL 4000 to 4999 Source MAC addressSource and destination in this manual refer to a Telnet client and a Telnet server respectively.z If the inbound keyword is specified, the Telnet client is the user telnetting to the local switch andthe Telnet server is the local switch.z If the outbound keyword is specified, the Telnet client is the local switch, and the Telnet server isanother device to which the user is telnetting.Follow these steps to control Telnet users by ACL:To do… Use the command… RemarksEnter system view system-view —Create a basic ACL or enterbasic ACL viewacl number acl-number[ match-order { auto |config } ]As for the acl number command, theconfig keyword is specified bydefault.Define rules for the ACL rule [ rule-id ] { deny |permit } [ rule-string ] RequiredQuit to system view quit —Enter user interface view user-interface [ type ]first-number [ last-number ] —
