cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3864
Views
1
Helpful
5
Replies

ASR - Restrict SSH access to management-interface (gi0)

Noble
Level 1
Level 1

Hello,

 

I have an ASR router with multiple IP interfaces.  Is there any way to restrict SSH access to the management interface only (gigabit 0)?  As of now the router is reachable via any of the IP interfaces.  I know I can create access-lists an apply it to the interfaces, however there's a limitation in which the destination address in the ACL is not checked, therefore I'd be denying any SSH traffic ingress.

 

Thanks,

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

I believe that you are talking about trying to use access-class on the vty with an extended access list. And it is true that using an extended access list that way does not check the destination address. I believe that there is a solution for your requirement using control plane policing, which I assume is supported on your platform. Here is a discussion about that which I hope you will find helpful:

https://community.cisco.com/t5/switching/restrict-ssh-and-telent-to-single-svi/td-p/2465495

 

HTH

 

Rick

HTH

Rick

Unable to assign a service-policy to the control plane, and unable to set the control-plane management-interface to the Gigabit0 interface.

When I found that discussion I hoped that it would be the solution for your requirements. Sorry that it does not work on your ASR. But the more I look at the documentation for control plane policing the less confident I am that it was the optimum solution. Perhaps what we are looking for is the management plane protection. I hope this link will provide helpful information about this:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/xe-16/qos-plcshp-xe-16-book/qos-plcshp-mgt-pln-prt.html#task_1056386

 

HTH

 

Rick

HTH

Rick

CSCO12079629
Level 1
Level 1

You will need to implement a control-plane 'Extended' ACL to block all SSH but to the MGMT Int. That way you don't need to apply the same ACL on all your interfaces. This ACL should also allow SNMP, SCP/FTP, ICMP, and whatever else you need for MGMT to the router CPU with each traffic type getting a different ACL name. You then identify each ACL in a class maps, then apply the class maps to a policy map and rate limit each type of traffic for the BW you see it historically using. You can choose to drop packets over that threshold, or lower their QOS markings, then apply that pmap to the control plane. Let me know if this helps...

 

 

jerem38
Level 1
Level 1

Hi Noble,

 

I had the same problem.

I guess you want to bind ssh service only to some specific interfaces. It makes sense particularly on an internet facing ASR !

For any reason, it seems Cisco never implemented this, even if it is a basic configuration you will find on any system.

I guess we should raise a feature request :)

 

I'm afraid you will have to go with control-plane ACL.