Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1611
Views
5
Helpful
3
Replies

Preventing telnet and ssh management access from a specific SVI interface Cat 3850

l.buschi
Level 2
Level 2

‎11-17-2017 02:42 AM - edited ‎03-01-2019 06:15 PM

Hello,

i have some Catalyst 3850 with many layer 3 SVI.

I vould link to prevent telnet and ssh management access from to a specific interface VLAN (i.e I don't want anybody could telnet to the IP address of interface vlan 9).

Is there a way to do this?

 

Tks

Johnny

 

Labels:
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎11-17-2017 02:54 AM - edited ‎11-17-2017 02:58 AM

Hi there,

Apply an ACL to the VTY lines for inbound traffic:

!
access-list 101 deny tcp any host <vlan9_svi_ip> eq telnet
access-list 101 deny tcp any host <vlan9_svi_ip> eq ssh
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq ssh
!
line vty 0 15
  access-class 101 in
!

 

cheers,

Seb.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎11-17-2017 03:20 AM

You could also use new feature called MPP as its ios-xe

https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html forces mgmt. traffic in over certain interface

#show management-interface
Management interface GigabitEthernet0/0/0.226
Protocol Packets processed
https 0
ssh 1160
snmp 122

Richard Burts
Hall of Fame
Hall of Fame
In response to Seb Rupik

‎11-17-2017 12:09 PM

While the suggestion from Seb seems logical the reality is that it will not work. access-class can control based on the source address for an incoming request. But access-class does not control based on the destination address used in the request. Another thing about access-class is that it is designed to work with standard access list and not extended access list. It will work with an extended access list but only if the extended access list specifies any as the destination address. Specifying the destination address as the address of vlan 9 will not work.

 

If you want to prevent any access using the address of vlan 9 as the destination then you would need to configure an access list inbound on every layer 3 interface of the switch and in that access list you could deny telnet and ssh if the destination address was the address of vlan 9. It would be complex and tedious but it would achieve the result. It might be possible to control telnet and ssh access based on interface using Control Plane Policing (if the 3850 supports this).

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card