cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
6
Replies

ASR-1009-X ssh all interface

Sureshbabu
Level 1
Level 1

HI ,

i have ASR-1009-X and C9K both connected OSPF and LAN segment L3 in C9K.

ASR and C9K both in OSPF and LAN segment advertise in OSPF. 

when i taking ssh through p2p interface IP  both device access from my LAN. Requirement is ssh should happen through mgmt interface only. 

But i have ACL in line vty 0 4 my ASR and C9K. transport input ssh and output non only. Still im getting ssh p2p ip interface.

Kindly suggest

1 Accepted Solution

Accepted Solutions

I see this Q alot and I decide to test something in my mind and I was right 
VTY is like interface when we apply ACL (standard) to specific VTY line and config other VTY without ACL we can Access !!!!!!
YES WE can
when we access to SW/R the first VTY line number use but what if this line not idle (still connect to some user)
the SW/R use other Line here the issue 
when we config a gourp of VTY some with ACL and other without, and there line is still connect not idle we can access and Engineer claim the ACL not work. 
NO it work but we need to tune the ACL and apply it to all VTY 

below LAB VTY 0 use ACL and VTY 1 4 not use it 

when I access via R2 I can access since ACL allow that 
then I try access from R3 and also I can access because R1 will use second VTY line group 1 4 which is without ACL 

Hope this Clear Issue of NON work ACL 

MHM

Screenshot (87).pngScreenshot (88).pngScreenshot (89).pngScreenshot (91).png

Screenshot (90).png

View solution in original post

6 Replies 6

Share the acl you use for vty and ip you use to access 

MHM

in vty i used standard ACL only source only defined.

As per my understand for this case extended ACL will play role..... Is there is any way specific source to destination permit in standard  ACL.

in vty i used standard ACL only source only defined.

can you show us what ACL is that ?

below example onlu 192.168.10.100 will be allowed to SSH to device.

access-list 10 permit 192.168.10.100
!
line vty 0 4
access-class 10 in

you can also do other ACL (which i do not recomment)

you can have ACL and bind to interface where the traffic you looking to coming in for SSH request for the device. (best is VTY lines always).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

standard ACL is OK with direction IN it work
MHM

hslai
Cisco Employee
Cisco Employee

@Sureshbabu 

If I understood correctly, you want to SSH to the network devices only via the management interfaces but not the others. The ACL that we associated with VTY lines can control the SSH clients that they would accept connections from. AFAIK IOS-XE has no option to bind or restrict SSH server port to specific IP address(es). As a result, even though BB considered it a bad idea, you would likely need to put ACL on the other interfaces or put ACL or firewall rule on some other network devices between you and these two network devices.

I see this Q alot and I decide to test something in my mind and I was right 
VTY is like interface when we apply ACL (standard) to specific VTY line and config other VTY without ACL we can Access !!!!!!
YES WE can
when we access to SW/R the first VTY line number use but what if this line not idle (still connect to some user)
the SW/R use other Line here the issue 
when we config a gourp of VTY some with ACL and other without, and there line is still connect not idle we can access and Engineer claim the ACL not work. 
NO it work but we need to tune the ACL and apply it to all VTY 

below LAB VTY 0 use ACL and VTY 1 4 not use it 

when I access via R2 I can access since ACL allow that 
then I try access from R3 and also I can access because R1 will use second VTY line group 1 4 which is without ACL 

Hope this Clear Issue of NON work ACL 

MHM

Screenshot (87).pngScreenshot (88).pngScreenshot (89).pngScreenshot (91).png

Screenshot (90).png