topic Re: ASR-1009-X ssh all interface in Network Access Control

ASR-1009-X ssh all interface

Sureshbabu — Wed, 10 Jan 2024 18:07:41 GMT

HI ,

i have ASR-1009-X and C9K both connected OSPF and LAN segment L3 in C9K.

ASR and C9K both in OSPF and LAN segment advertise in OSPF.

when i taking ssh through p2p interface IP both device access from my LAN. Requirement is ssh should happen through mgmt interface only.

But i have ACL in line vty 0 4 my ASR and C9K. transport input ssh and output non only. Still im getting ssh p2p ip interface.

Kindly suggest

Re: ASR-1009-X ssh all interface

MHM Cisco World — Wed, 10 Jan 2024 18:11:25 GMT

Share the acl you use for vty and ip you use to access

MHM

Re: ASR-1009-X ssh all interface

Sureshbabu — Fri, 12 Jan 2024 14:40:57 GMT

in vty i used standard ACL only source only defined.

As per my understand for this case extended ACL will play role..... Is there is any way specific source to destination permit in standard ACL.

Re: ASR-1009-X ssh all interface

balaji.bandi — Fri, 12 Jan 2024 15:21:45 GMT

in vty i used standard ACL only source only defined.

can you show us what ACL is that ?

below example onlu 192.168.10.100 will be allowed to SSH to device.

access-list 10 permit 192.168.10.100
!
line vty 0 4
access-class 10 in

you can also do other ACL (which i do not recomment)

you can have ACL and bind to interface where the traffic you looking to coming in for SSH request for the device. (best is VTY lines always).

Re: ASR-1009-X ssh all interface

MHM Cisco World — Fri, 12 Jan 2024 15:24:30 GMT

standard ACL is OK with direction IN it work
MHM

Re: ASR-1009-X ssh all interface

hslai — Sat, 13 Jan 2024 19:19:21 GMT

@Sureshbabu

If I understood correctly, you want to SSH to the network devices only via the management interfaces but not the others. The ACL that we associated with VTY lines can control the SSH clients that they would accept connections from. AFAIK IOS-XE has no option to bind or restrict SSH server port to specific IP address(es). As a result, even though BB considered it a bad idea, you would likely need to put ACL on the other interfaces or put ACL or firewall rule on some other network devices between you and these two network devices.

Re: ASR-1009-X ssh all interface

MHM Cisco World — Sat, 13 Jan 2024 22:43:09 GMT

I see this Q alot and I decide to test something in my mind and I was right
VTY is like interface when we apply ACL (standard) to specific VTY line and config other VTY without ACL we can Access !!!!!!
YES WE can
when we access to SW/R the first VTY line number use but what if this line not idle (still connect to some user)
the SW/R use other Line here the issue
when we config a gourp of VTY some with ACL and other without, and there line is still connect not idle we can access and Engineer claim the ACL not work.
NO it work but we need to tune the ACL and apply it to all VTY

below LAB VTY 0 use ACL and VTY 1 4 not use it

when I access via R2 I can access since ACL allow that
then I try access from R3 and also I can access because R1 will use second VTY line group 1 4 which is without ACL

Hope this Clear Issue of NON work ACL

MHM