9300 allow web interface and ssh from mgmt GigabitEthernet0/0 only

Kenneth McCoig · ‎11-05-2021

Good evening-

We are in the process of setting up a 9300 access switch stack (ios version 17.03) for the production network. Interface GigabitEthernet0/0 is connected to a completely separate management network that only IT is physically connected to. We do not want the users (vlan1) to have access to web server or ssh or SNMP. We only want these services to go through management. But I can't figure out the best way to implement this. Is there an easy one or two lines that would accomplish this? Like access-class under line vty for ssh? It seems so straight forward but I've been staring at this for a while and I'm going braindead. Hoping someone can assist me. Thank you!

vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.10.10.10 255.255.255.0
negotiation auto

interface Vlan1
ip address 10.0.0.1 255.255.255.0

line vty 0 4
password 7 xxxx
login
transport input ssh
line vty 5 15
password 7 xxxx
login
transport input ssh
!

balaji.bandi · ‎11-06-2021

If you want only OOB (out of band management to have access to HTTPS and ssh for the device you can do wit ACL)

ip access-list standard OOB-ACL 
 permit 10.10.10.X   - this can be host or network
 permit 10.10.10.X

line vty 0 4
 access-class OOB-ACL in vrf-also 
or  - depends on requirement
access-class OOB-ACL in

If you have http running the device you an do same way
ip http access-class XXXX

is that what you looking ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help