Hi all I'm new to the list, I subscribed definetely for asking this question of mine: We have a c2610 (IOS 11.3) which handles 4 analog and 2 ISDN lines for dial-in access. I want to restrict web access of remote users, on a per user basis. I saw the "access-class" option of the "username" command. I checked the syntax and usage at www.cisco.com, also tried it w/ a test user, but does not work. Any help regarding this would be appreciated very much! Before denying port #80, I tried to restrict *all* access of the tested user. config looked like this: [...] username test access-class 101 password test [...] access-list 101 deny tcp any any now user "test" *could* transmit any packages to any port! (ping, http, ftp, etc..) Documentation says that the "access-class" option of username command *overrides* line access-class settings. This does not claim that a line access-class should always exist when using username access-class -- but I tried it just to be on the safe side. Defined a permit tcp any any list on the tested line, but the deny list did not override it (as the documentation said). thanks in advance Zoltan Houdek consultant Hungary PS. I tried and searched thru the archive for keywords "dial-in", "username", "restrict access", but find no answer for this. _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]