Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
5
Helpful
11
Replies

SSH access to switches

jesse.garcia11
Level 1
Level 1

‎04-17-2023 08:43 AM

Hi Everyone, I am having trouble getting our switches to accespt ssh connections, or any remote access, based off of mac addresses. Currently we have extended acl set that limits IP address access. The only thing with this is that we have to remote into our desktops just to access site switches, even when we are onsite. So I was looking up how to create acl based on mac address, rather than IP since each site has a different subnet. I could not find any documentation on this. Does this mean it is not possible? If you can point me in the right direction I would appreciate it. Thank You. 

Labels:
11 Replies 11

MHM Cisco World
VIP
VIP

‎04-17-2023 08:49 AM

what MAC address give you add to IP ?

0 Helpful

jesse.garcia11
Level 1
Level 1
In response to MHM Cisco World

‎04-17-2023 08:53 AM

I dont understand your question sir. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to jesse.garcia11

‎04-17-2023 09:11 AM

Why you looking for mac acl, what make IP acl not suitable for you? Can you more elaborate. 

Thanks 

MHM

0 Helpful

jesse.garcia11
Level 1
Level 1
In response to MHM Cisco World

‎04-17-2023 10:25 AM

Oh thank you @MHM Cisco World . I can static my desktop easily. as it is not mobile. But I cannot static my Laptop ipv4 address. We have 7 sites all with different subnets for WIFI. If I did static the laptop, I would not have access to other sites as the Core Router at each site will only see its assigned subnet. IE if I static to one school subnet, I will not be routable at another school since it  does not recognize the address.  This is how it was created long before our department received laptops. Does that make sense? Do you know of any other way to secure access for the laptop>? 

MHM Cisco World
VIP
VIP
In response to jesse.garcia11

‎04-17-2023 10:38 AM - edited ‎04-18-2023 02:49 AM

Mac acl in your network not help you' 

The IP will preserve same all patg except case there is NATing

Mac add is change from one l3 to other. So mac acl is not right solution.

What I think is using l2tp and connect to edge router via public ip and then use l2tp private ip for ssh to sw's, this private IP is always use and can use in ACL.

0 Helpful

ahollifield
VIP
VIP

‎04-17-2023 09:03 AM

Are you looking for a dynamic VTY ACL?  A remote switch would not know a remote MAC address, it would only be aware of the IP.

jesse.garcia11
Level 1
Level 1
In response to ahollifield

‎04-17-2023 10:21 AM - edited ‎04-17-2023 10:25 AM

Thank You @ahollifield . Would you have any other recommendations as to how to enable secure access for our laptop to SSH into the switches? 

0 Helpful

ahollifield
VIP
VIP
In response to jesse.garcia11

‎04-17-2023 11:08 AM

TACACS+ with MFA?  And a VTY ACL containing only trusted management VLANs?

0 Helpful

jesse.garcia11
Level 1
Level 1
In response to ahollifield

‎04-17-2023 11:12 AM

Thank You very much. I will be looking into this

0 Helpful

Christopher Bell
Level 4
Level 4
In response to jesse.garcia11

‎04-18-2023 07:20 AM

If you have the option of using a jumpbox, you can limit the ACL on your mgmt vlan or mgmt interface to this IP and maybe a fallback subnet or IP just in case your jump box is down.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Dustin Anderson
VIP
VIP

‎04-17-2023 12:42 PM

We have similar and went as ahollifield suggested and made admin vlans and just have them in the ACL. We only have 2 sites that admins are at and remotely we just use a console cable, but can be done either way. A bit of work making admin vlans and rules to put you on them, but once it's set up will be a lot easier in the long run.

0 Helpful
Customers Also Viewed These Support Documents