09-10-2019 08:37 AM
Hello,
I have an ASR router with multiple IP interfaces. Is there any way to restrict SSH access to the management interface only (gigabit 0)? As of now the router is reachable via any of the IP interfaces. I know I can create access-lists an apply it to the interfaces, however there's a limitation in which the destination address in the ACL is not checked, therefore I'd be denying any SSH traffic ingress.
Thanks,
09-10-2019 09:00 AM
I believe that you are talking about trying to use access-class on the vty with an extended access list. And it is true that using an extended access list that way does not check the destination address. I believe that there is a solution for your requirement using control plane policing, which I assume is supported on your platform. Here is a discussion about that which I hope you will find helpful:
https://community.cisco.com/t5/switching/restrict-ssh-and-telent-to-single-svi/td-p/2465495
HTH
Rick
09-10-2019 10:33 AM
Unable to assign a service-policy to the control plane, and unable to set the control-plane management-interface to the Gigabit0 interface.
09-10-2019 11:17 AM
When I found that discussion I hoped that it would be the solution for your requirements. Sorry that it does not work on your ASR. But the more I look at the documentation for control plane policing the less confident I am that it was the optimum solution. Perhaps what we are looking for is the management plane protection. I hope this link will provide helpful information about this:
HTH
Rick
04-21-2020 10:23 AM
You will need to implement a control-plane 'Extended' ACL to block all SSH but to the MGMT Int. That way you don't need to apply the same ACL on all your interfaces. This ACL should also allow SNMP, SCP/FTP, ICMP, and whatever else you need for MGMT to the router CPU with each traffic type getting a different ACL name. You then identify each ACL in a class maps, then apply the class maps to a policy map and rate limit each type of traffic for the BW you see it historically using. You can choose to drop packets over that threshold, or lower their QOS markings, then apply that pmap to the control plane. Let me know if this helps...
04-22-2020 01:14 AM
Hi Noble,
I had the same problem.
I guess you want to bind ssh service only to some specific interfaces. It makes sense particularly on an internet facing ASR !
For any reason, it seems Cisco never implemented this, even if it is a basic configuration you will find on any system.
I guess we should raise a feature request :)
I'm afraid you will have to go with control-plane ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide