https://community.cisco.com/t5/network-security/security-design-question/m-p/2780766#M915966 <P>Hello,</P> <P></P> <P></P> <P>Before I say something out of turn can anyone tell me a valid reason that someone would assign a public IP address to an interface on a 6800 that is a core switch? SSH is also open from the outside to any IP address. &nbsp;True you have to authenticate but this still seems like a bad design to me.</P> <P></P> <P></P> <P></P> <P>All replies rated. &nbsp;Thanks</P> Fri, 21 Feb 2020 13:37:43 GMT angel-moon 2020-02-21T13:37:43Z https://community.cisco.com/t5/network-security/security-design-question/m-p/2780766#M915966 <P>Hello,</P> <P></P> <P></P> <P>Before I say something out of turn can anyone tell me a valid reason that someone would assign a public IP address to an interface on a 6800 that is a core switch? SSH is also open from the outside to any IP address. &nbsp;True you have to authenticate but this still seems like a bad design to me.</P> <P></P> <P></P> <P></P> <P>All replies rated. &nbsp;Thanks</P> Fri, 21 Feb 2020 13:37:43 GMT https://community.cisco.com/t5/network-security/security-design-question/m-p/2780766#M915966 angel-moon 2020-02-21T13:37:43Z https://community.cisco.com/t5/network-security/security-design-question/m-p/2780767#M915975 <P>Hi&nbsp;<A href="https://supportforums.cisco.com/users/angel-moon" title="View user profile." class="username" lang="" about="/users/angel-moon" typeof="sioc:UserAccount" property="foaf:name" datatype="">angel-moon</A>, &nbsp;</P> <P></P> <P>The 6800 series can run on layer 3 mode and perfom routing tasks, so I would think not only as a switch but also a router device. &nbsp;</P> <P></P> <P>Having SSH open on the outside can be consider as a security risk, the best practices included add an ACL to the VTY line, enforece the AAA polices of the authentication and use up-to-date software to avoid possible bugs or exploits that might affect your device.&nbsp;</P> <P></P> <P>If this device have a public IP on it, you can perform security scanners to check possible open ports or &nbsp;vulnerabilities, NMAP and KALI are very popular those days to perform the task.&nbsp;</P> <P></P> <P>Hope it helps</P> <P>-Randy-</P> Mon, 30 Nov 2015 23:44:28 GMT https://community.cisco.com/t5/network-security/security-design-question/m-p/2780767#M915975 rvarelac 2015-11-30T23:44:28Z https://community.cisco.com/t5/network-security/security-design-question/m-p/2780768#M915979 <PRE class="prettyprint">Hello,Before I say something out of turn can anyone tell me a valid reason that someone would assign a public IP address to an interface on a 6800 that is a core switch? SSH is also open from the outside to any IP address. &nbsp;True you have to authenticate but this still seems like a bad design to me.All replies rated. &nbsp;Thanks</PRE> <P>Hello ,</P> <P>It all depends on your design , if 6800 core switch is acting as peer device with internet facing router then you would require to have connection with Public ip.</P> <P>I would recommend not to open up SSH from Public interface , As we never follow this practice in our DC's. Rather we give access once engineer has gained via SSL VPN or remote to site VPNs.</P> <P>I would also suggest to do hardening of this devices and try to have firewall in between Public internet and this switch.</P> <P>Hope it Helps..</P> <P>-GI</P> <P>Rate if it Helpss</P> Tue, 01 Dec 2015 16:00:54 GMT https://community.cisco.com/t5/network-security/security-design-question/m-p/2780768#M915979 Ganesh Hariharan 2015-12-01T16:00:54Z