11-17-2017 02:42 AM - edited 03-01-2019 06:15 PM
Hello,
i have some Catalyst 3850 with many layer 3 SVI.
I vould link to prevent telnet and ssh management access from to a specific interface VLAN (i.e I don't want anybody could telnet to the IP address of interface vlan 9).
Is there a way to do this?
Tks
Johnny
11-17-2017 02:54 AM - edited 11-17-2017 02:58 AM
Hi there,
Apply an ACL to the VTY lines for inbound traffic:
! access-list 101 deny tcp any host <vlan9_svi_ip> eq telnet access-list 101 deny tcp any host <vlan9_svi_ip> eq ssh
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq ssh ! line vty 0 15 access-class 101 in !
cheers,
Seb.
11-17-2017 03:20 AM
11-17-2017 12:09 PM
While the suggestion from Seb seems logical the reality is that it will not work. access-class can control based on the source address for an incoming request. But access-class does not control based on the destination address used in the request. Another thing about access-class is that it is designed to work with standard access list and not extended access list. It will work with an extended access list but only if the extended access list specifies any as the destination address. Specifying the destination address as the address of vlan 9 will not work.
If you want to prevent any access using the address of vlan 9 as the destination then you would need to configure an access list inbound on every layer 3 interface of the switch and in that access list you could deny telnet and ssh if the destination address was the address of vlan 9. It would be complex and tedious but it would achieve the result. It might be possible to control telnet and ssh access based on interface using Control Plane Policing (if the 3850 supports this).
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide