Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
0
Helpful
2
Replies

Cisco switch limiting SSH access to specific SVI interface

telesymbol
Level 1
Level 1

‎06-01-2022 05:53 AM

Dear All,

 

we've Cisco core switch and wanted to limit ssh access to specific SVI interface, at the moment we've a standard ACL configured for limiting source addresses who can access core switch through ssh, in addition to that we wanted only one of the SVIs to be accessed through ssh and tried below configs

 

access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22

access-list 101 permit ip any any

Then on your layer 3 SVI under the vlan interfa ce apply it in or outbound

Interface vlan 101

ip address 172.21.100.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

the above config was not successful AND found below config from Cisco forum again

 

access-list 100 permit tcp any host 192.168.100.1 eq telnet
access-list 100 permit tcp any host 192.168.100.1 eq 22
access-list 100 permit tcp any host 192.168.150.1 eq telnet
access-list 100 permit tcp any host 192.168.150.1 eq 22
access-list 100 permit tcp any host 192.168.200.1 eq telnet
access-list 100 permit tcp any host 192.168.200.1 eq 22

class-map match-any MGT_cm
match access-group 100
policy-map MGT_pm
 class MGT_cm
 drop
class class-default
control-plane
service-policy input MGT_pm

 

But can not execute the command "Drop" and failed to limit ssh access to specific SVI. please advise on the issue

 

regards

 

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎06-01-2022 07:55 AM

Hi

 "the above config was not successful AND found below config from Cisco forum again"

 

 

Honestly, this way to organize ACL is not good.

"

access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22

access-list 101 permit ip any any"

 

This means that, you are denying everything to access your switch and below you are allowing everything.

 

 

A better way is to identify who can acces the switch. For example, a management network and then deny everything else.

 

But, the problem about control management traffic to the switch, it that, you can not so it on the SVI.

Apply this ACL to the VTY instead.

 

line vty 0 5

access-class 101 in

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Flavio Miranda

‎06-01-2022 11:00 AM

The suggestion by @Flavio Miranda to use access-class is the traditional approach to controlling who can have remote access. And my understanding of the original post suggests that they are probably already doing this "at the moment we've a standard ACL configured for limiting source addresses who can access core switch through ssh, in addition to that we wanted only one of the SVIs to be accessed through ssh" 

What is unique (and difficult) in this is the desire to limit SSH access to a particular SVI. access-class is very good for limiting source addresses. But it can not limit destination addresses for SSH.

I can think of 2 approaches to achieve this. I am sure that one will work, but it is very complicated. The other approach might or might not work depending on the platform.

1) On every layer 3 interface of the switch configure an inbound extended access list. The first statement of the acl should permit SSH to the desired SVI address. Following that would be statements denying SSH to every IP assigned to any interface of the switch. Following that would be other permits and denies as appropriate (probably ending with permit ip any any).

2) You might be able to achieve the result with some type of Control Plane Policing if the platform supports this functionality. 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents