I am attempting to stop ssh to any IP on my switches accept the loopback address. I have created a few different access lists and applied them as an access-class on the vty lines, but this just locks me out of the switch all together.
Here is the issue, we have a vuln scanner that logs into our devices and provides a report of items found, but it keeps logging into the wrong interface so the report does not include the DNS name of the device... I want to stop SSH into VLAN IPs or uplink IPs to get the more readable report and when the scanner hits more than one address on the same device it reports the vulns for each IP address.
Below is an example of what I attempted and was unable to access my test switch after the changes.
The point is to allow SSH only to the loopback interface, not initially to limit where it is coming from.
access-list 101 permit 22 any host 10.10.10.10
line vty 0 4
access-class 101 in
I have done a few more variations but it does not seem to matter as soon as this goes on it blocks access to VTY lines.
