Solved: How to allow SSH for one VLAN only?

Sasuke · ‎10-24-2020

Hi, consider you have these SVI's:

VLAN 10

VLAN 20

VLAN 30

How do you allow devices e.g. in VLAN 20 to connect to a switch with SSH, but disallow devices from other VLANs to establish a SSH connection?

ngkin2010 · ‎10-24-2020

Sorry, I think I misunderstood your question.

If you would like to simply restrict user from VLAN20 to sSH to your device. VTY ACL can do that:

access-list standard 10
remark allow VLAN20 traffic
permit 20.20.20.0 0.0.0.255

line vty 0 15
access-class 10 in

View solution in original post

ngkin2010 · ‎10-24-2020

Hi,

Deploy control plane policy to restrict the control plane traffic designed to the device itself.

Using IOS as example:

ip access-list extended ssh-acl
  remark match incoming ssh traffic to vlan 20 SVI
  deny tcp any 20.20.20.0 0.0.0.255 eq 22
  remark match all other incoming ssh traffic
  permit tcp any any eq 22

class-map SSH
  match access name ssh-acl


policy-map CoPP
  class SSH
      drop
  class class-default

control-plane
  service-policy input CoPP
      drop

ngkin2010 · ‎10-24-2020

Sorry, I think I misunderstood your question.

If you would like to simply restrict user from VLAN20 to sSH to your device. VTY ACL can do that:

access-list standard 10
remark allow VLAN20 traffic
permit 20.20.20.0 0.0.0.255

line vty 0 15
access-class 10 in