Showing results for 
Search instead for 
Did you mean: 

SSH access to switches


Hi Everyone, I am having trouble getting our switches to accespt ssh connections, or any remote access, based off of mac addresses. Currently we have extended acl set that limits IP address access. The only thing with this is that we have to remote into our desktops just to access site switches, even when we are onsite. So I was looking up how to create acl based on mac address, rather than IP since each site has a different subnet. I could not find any documentation on this. Does this mean it is not possible? If you can point me in the right direction I would appreciate it. Thank You. 

11 Replies 11

what MAC address give you add to IP ?

I dont understand your question sir. 

Why you looking for mac acl, what make IP acl not suitable for you? Can you more elaborate. 



Oh thank you @MHM Cisco World . I can static my desktop easily. as it is not mobile. But I cannot static my Laptop ipv4 address. We have 7 sites all with different subnets for WIFI. If I did static the laptop, I would not have access to other sites as the Core Router at each site will only see its assigned subnet. IE if I static to one school subnet, I will not be routable at another school since it  does not recognize the address.  This is how it was created long before our department received laptops. Does that make sense? Do you know of any other way to secure access for the laptop>? 

Mac acl in your network not help you' 

The IP will preserve same all patg except case there is NATing

Mac add is change from one l3 to other. So mac acl is not right solution.

What I think is using l2tp and connect to edge router via public ip and then use l2tp private ip for ssh to sw's, this private IP is always use and can use in ACL.

Are you looking for a dynamic VTY ACL?  A remote switch would not know a remote MAC address, it would only be aware of the IP.

Thank You @ahollifield . Would you have any other recommendations as to how to enable secure access for our laptop to SSH into the switches? 

TACACS+ with MFA?  And a VTY ACL containing only trusted management VLANs?

Thank You very much. I will be looking into this

If you have the option of using a jumpbox, you can limit the ACL on your mgmt vlan or mgmt interface to this IP and maybe a fallback subnet or IP just in case your jump box is down.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Dustin Anderson
Rising star
Rising star

We have similar and went as ahollifield suggested and made admin vlans and just have them in the ACL. We only have 2 sites that admins are at and remotely we just use a console cable, but can be done either way. A bit of work making admin vlans and rules to put you on them, but once it's set up will be a lot easier in the long run.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: