Security | 949Figure 45-16. Example Access-Class Configuration Using Local DatabaseVTY Line Remote Authentication and AuthorizationFTOS retrieves the access class from the VTY line.The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does notneed to know the identity of the incoming user and can immediately apply the access class. If theauthentication method is radius, TACACS+, or line, and you have configured an access class for the VTYline, FTOS immediately applies it. If the access-class is deny all or deny for the incoming subnet, FTOScloses the connection without displaying the login prompt. Figure shows how to deny incomingconnections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as theauthentication mechanism.Figure 45-17. Example Access Class Configuration Using TACACS+ Without PromptVTY MAC-SA Filter SupportFTOS supports MAC access lists which permit or deny users based on their source MAC address. Withthis approach, you can implement a security policy based on the source MAC address.To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs (Figure 45-18).Figure 45-18 shows how to deny incoming connections from subnet 10.0.0.0 without displaying a loginprompt..Note: See also the section Chapter 8, IP Access Control Lists (ACL), Prefix Lists, and Route-maps.FTOS(conf)#user gooduser password abc privilege 10 access-class permitallFTOS(conf)#user baduser password abc privilege 10 access-class denyallFTOS(conf)#FTOS(conf)#aaa authentication login localmethod localFTOS(conf)#FTOS(conf)#line vty 0 9FTOS(config-line-vty)#login authentication localmethodFTOS(config-line-vty)#endFTOS(conf)#ip access-list standard deny10FTOS(conf-ext-nacl)#permit 10.0.0.0/8FTOS(conf-ext-nacl)#deny anyFTOS(conf)#FTOS(conf)#aaa authentication login tacacsmethod tacacs+FTOS(conf)#tacacs-server host 256.1.1.2 key force10FTOS(conf)#FTOS(conf)#line vty 0 9FTOS(config-line-vty)#login authentication tacacsmethodFTOS(config-line-vty)#FTOS(config-line-vty)#access-class deny10FTOS(config-line-vty)#end(same applies for radius and line authentication)