08-10-2020 07:35 AM
I dont want to accept SSH logins via the main VRF Gig interfaces at all. I only want remote SSH via GIG 0, the mgmt interface & configured MGMT VRF. I have tried an ACL blocking SSH and applying it to an outside WWW facing interface but trouble is it block all port 22 traffic flowing through the interface. Also, I realize I can create a source IP list ACL for access but security wants SSH remote access totally off and not processing SSH logins if possible on WWW facing interface.
Solved! Go to Solution.
08-10-2020 08:30 AM - edited 08-10-2020 08:38 AM
Hello @pcweber ,
you can apply an ACL under line vty 0 4 or whatever you have and you can define what source IP addresses are allowed to SSH to your device (when using a standard ACL in the access-class 11 in command)
As an alternative you can use an extended IP ACL that specifies the mgmt interface IP address as the only accepted destination.
Something like
access-list 122 permit tcp 10.10.10.0 0.0.0.255 host 10.20.20.25 eq 22
warning: when you make tests with ACLs on line vty try the effects by opening additional SSH sessions to the device to avoid to lock you out of it. Use the original session for all config changes and to check the current sessions with show users.
Edit:
you likely need an additional keyword
access-class 122 in vrf-also
see
Hope to help
Giuseppe
08-10-2020 08:30 AM - edited 08-10-2020 08:38 AM
Hello @pcweber ,
you can apply an ACL under line vty 0 4 or whatever you have and you can define what source IP addresses are allowed to SSH to your device (when using a standard ACL in the access-class 11 in command)
As an alternative you can use an extended IP ACL that specifies the mgmt interface IP address as the only accepted destination.
Something like
access-list 122 permit tcp 10.10.10.0 0.0.0.255 host 10.20.20.25 eq 22
warning: when you make tests with ACLs on line vty try the effects by opening additional SSH sessions to the device to avoid to lock you out of it. Use the original session for all config changes and to check the current sessions with show users.
Edit:
you likely need an additional keyword
access-class 122 in vrf-also
see
Hope to help
Giuseppe
08-10-2020 08:52 AM
Changing this line below...
access-class 16 in vrf-also
to this line bow achieved my goal! thanks
access-class 16 in vrfname Mgmt-intf
08-12-2020 06:38 AM
FYI, I have found some models/ versions of IOS dont have the below command.
access-class xx in vrfname Mgmt-intf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: