https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359226#M903052 <P>Hi</P> <P>By default, your device answer ssh connections from all the interfaces VLAN, you can restrict that by using ACL that prohibits incoming SSH in the interfaces you want to</P> Mon, 02 Apr 2018 19:59:59 GMT EduardR 2018-04-02T19:59:59Z https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359203#M903051 <P>Hi</P> <P>&nbsp;</P> <P>I am just reviewing one of our L3 cisco router and I am seeing there are 4 different VLAN interfaces configured with IP addresses (wireless , Data , Video , Management ) when I do ssh to this switch from my desktop I am able to use any of these IP addresses on the switch and ssh works fine . MY concern is if this is a security issue or is there any other way we can only ssh to certain IP address on the switch for security concern ?</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 21 Feb 2020 15:35:27 GMT https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359203#M903051 cyberops123 2020-02-21T15:35:27Z https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359226#M903052 <P>Hi</P> <P>By default, your device answer ssh connections from all the interfaces VLAN, you can restrict that by using ACL that prohibits incoming SSH in the interfaces you want to</P> Mon, 02 Apr 2018 19:59:59 GMT https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359226#M903052 EduardR 2018-04-02T19:59:59Z https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359237#M903053 <P>well only ACL for ssh I know is basically specifying individual hosts or networks that can access to my device and apply in under line vty connection&nbsp; . for example below is my current ssh configuration</P> <P>&nbsp;</P> <P>access-list 100 permit ip 10.1.x.0 0.0.255.255 any <BR />access-list 100 permit ip 10.x.x.0 0.0.0.255 any</P> <P>&nbsp;</P> <P>line vty 0 4 <BR />access-class 100 in <BR />exec-timeout 9 0 <BR />transport input ssh</P> <P>&nbsp;</P> <P>so as far as I know this will give access to those networks below to my network device . but I want to to use only one of the SVI interfaces for ssh , if there is any ssh attempt o other SVIs it should be denied .</P> <P>currently</P> <P>I have fallowing SVIs are availables below&nbsp;</P> <P>&nbsp;</P> <P>vlan 10 &nbsp; &nbsp; 10.2.0.1</P> <P>vlan 20&nbsp;&nbsp; &nbsp; 10.2.30.1</P> <P>vlan 30&nbsp;&nbsp;&nbsp;&nbsp; 10.2.40.1</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 02 Apr 2018 20:22:21 GMT https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359237#M903053 cyberops123 2018-04-02T20:22:21Z https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359243#M903054 <P>You can make an extended ACL pointing to the device IP like this:</P> <PRE>ip access-list extended NoSSH deny tcp host &lt;IP&gt; any eq 22 permit ip any any</PRE> <P>and apply it to each of the SVI, for example:</P> <PRE>ip access-list extended NoSSH deny tcp host 10.2.0.1 any eq 22 permit ip any any interface vlan 10 ip access-group NoSSH in</PRE> Mon, 02 Apr 2018 20:30:28 GMT https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359243#M903054 EduardR 2018-04-02T20:30:28Z https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359246#M903055 awesome thats exactly what I was asking . <BR /><BR />Thanks again Mon, 02 Apr 2018 20:39:56 GMT https://community.cisco.com/t5/network-security/ssh-access-to-layer-3-specific-interface/m-p/3359246#M903055 cyberops123 2018-04-02T20:39:56Z