cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
454
Views
5
Helpful
2
Replies
Highlighted
Beginner

How to allow SSH for one VLAN only?

Hi, consider you have these SVI's:

VLAN 10

VLAN 20

VLAN 30

 

How do you allow devices e.g. in VLAN 20 to connect to a switch with SSH, but disallow devices from other VLANs to establish a SSH connection?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Sorry, I think I misunderstood your question.

 

If you would like to simply restrict user from VLAN20 to sSH to your device. VTY  ACL can do that:

 

access-list standard 10
remark allow VLAN20 traffic
permit 20.20.20.0 0.0.0.255

line vty 0 15
access-class 10 in

View solution in original post

2 REPLIES 2
Highlighted
Enthusiast

Hi,

 

Deploy control plane policy to restrict the control plane traffic designed to the device itself.

 

Using IOS as example:

ip access-list extended ssh-acl
  remark match incoming ssh traffic to vlan 20 SVI
  deny tcp any 20.20.20.0 0.0.0.255 eq 22
  remark match all other incoming ssh traffic
  permit tcp any any eq 22

class-map SSH
  match access name ssh-acl


policy-map CoPP
  class SSH
      drop
  class class-default

control-plane
  service-policy input CoPP
      drop





 

Highlighted

Sorry, I think I misunderstood your question.

 

If you would like to simply restrict user from VLAN20 to sSH to your device. VTY  ACL can do that:

 

access-list standard 10
remark allow VLAN20 traffic
permit 20.20.20.0 0.0.0.255

line vty 0 15
access-class 10 in

View solution in original post

Content for Community-Ad