Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3710
Views
1
Helpful
5
Replies

ASR - Restrict SSH access to management-interface (gi0)

Noble
Level 1
Level 1

‎09-10-2019 08:37 AM

Hello,

 

I have an ASR router with multiple IP interfaces.  Is there any way to restrict SSH access to the management interface only (gigabit 0)?  As of now the router is reachable via any of the IP interfaces.  I know I can create access-lists an apply it to the interfaces, however there's a limitation in which the destination address in the ACL is not checked, therefore I'd be denying any SSH traffic ingress.

 

Thanks,

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎09-10-2019 09:00 AM

I believe that you are talking about trying to use access-class on the vty with an extended access list. And it is true that using an extended access list that way does not check the destination address. I believe that there is a solution for your requirement using control plane policing, which I assume is supported on your platform. Here is a discussion about that which I hope you will find helpful:

https://community.cisco.com/t5/switching/restrict-ssh-and-telent-to-single-svi/td-p/2465495

 

HTH

 

Rick

HTH

Rick
0 Helpful

Noble
Level 1
Level 1
In response to Richard Burts

‎09-10-2019 10:33 AM

Unable to assign a service-policy to the control plane, and unable to set the control-plane management-interface to the Gigabit0 interface.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎09-10-2019 11:17 AM

When I found that discussion I hoped that it would be the solution for your requirements. Sorry that it does not work on your ASR. But the more I look at the documentation for control plane policing the less confident I am that it was the optimum solution. Perhaps what we are looking for is the management plane protection. I hope this link will provide helpful information about this:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/xe-16/qos-plcshp-xe-16-book/qos-plcshp-mgt-pln-prt.html#task_1056386

 

HTH

 

Rick

HTH

Rick
0 Helpful

CSCO12079629
Level 1
Level 1

‎04-21-2020 10:23 AM

You will need to implement a control-plane 'Extended' ACL to block all SSH but to the MGMT Int. That way you don't need to apply the same ACL on all your interfaces. This ACL should also allow SNMP, SCP/FTP, ICMP, and whatever else you need for MGMT to the router CPU with each traffic type getting a different ACL name. You then identify each ACL in a class maps, then apply the class maps to a policy map and rate limit each type of traffic for the BW you see it historically using. You can choose to drop packets over that threshold, or lower their QOS markings, then apply that pmap to the control plane. Let me know if this helps...

 

 

0 Helpful

jerem38
Level 1
Level 1

‎04-22-2020 01:14 AM

Hi Noble,

 

I had the same problem.

I guess you want to bind ssh service only to some specific interfaces. It makes sense particularly on an internet facing ASR !

For any reason, it seems Cisco never implemented this, even if it is a basic configuration you will find on any system.

I guess we should raise a feature request :)

 

I'm afraid you will have to go with control-plane ACL.

Customers Also Viewed These Support Documents