TCP-Port 3101 is -- if enabled serial port 1. User mylocal should have access only to ports 2 through 48. Direct access to 3101/tcp is correctly denied. However connecting to the Avocent first using mylocal account and then use connect command allows access to this port. In this experiment a cisco switch is hooked up to serial port 1. ------------------------------------------ ~/console/lab-notizen/avo|19% ssh Admin@ccm Admin@ccm's password: Avocent CCM4850 S/W Version 2.1 > show user User: Admin Level: Appliance Administrator Access: PALL,USER,SCON,SMON,PCON,BREAK Groups: Port Access: BY PORT Locked: N/A Last Login: 00 10:17:11 Port Username Duration Socket From Socket CLI Admin 00 00:00:04 22 0.0.0.0(58798) > show user mylocal User: mylocal Level: User Access: P2-48,BREAK Groups: Port Access: BY PORT Locked: NO Last Login: 00 08:10:24 > >Connection to ccm closed ~/console/lab-notizen/avo|20% ssh mylocal@ccm -p 3101 mylocal@ccm's password: Received disconnect from 192.168.100.209: 2: Access denied - No access to port 1 ~/console/lab-notizen/avo|21% ssh mylocal@ccm mylocal@ccm's password: Avocent CCM4850 S/W Version 2.1 > connect 1 Connected to Port: 1 9600,8,N,1,NONE cisco#Connection to ccm closed. ~/console/lab-notizen/avo|22%