Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7104
Views
5
Helpful
3
Replies

Want SSH access to router only via MGMT VRF/ interface, no other interfaces

Go to solution
pcweber
Level 1
Level 1

‎08-10-2020 07:35 AM

I dont want to accept SSH logins via the main VRF Gig interfaces at all. I only want remote SSH via GIG 0, the mgmt interface & configured MGMT VRF. I have tried an ACL blocking SSH and applying it to an outside WWW facing interface but trouble is it block all port 22 traffic flowing through the interface. Also, I realize I can create a source IP list ACL for access but security wants SSH remote access totally off and not processing SSH logins if possible on WWW facing interface.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-10-2020 08:30 AM - edited ‎08-10-2020 08:38 AM

Hello @pcweber ,

you can apply an ACL under line vty 0 4 or whatever you have and you can define what source IP addresses are allowed to SSH to your device (when using a standard ACL in the access-class 11 in command)

As an alternative you can use an extended IP ACL that specifies the mgmt interface IP address as the only accepted destination.

 

Something like

access-list 122 permit tcp 10.10.10.0 0.0.0.255 host 10.20.20.25 eq 22

 

warning: when you make tests with ACLs on line vty try the effects by opening additional SSH sessions to the device to avoid to lock you out of it. Use the original session for all config changes and to check the current sessions with show users.

 

Edit:

you likely need an additional keyword

access-class 122 in vrf-also

 

see

https://community.cisco.com/t5/switching/vty-acl-weird-behaviour-with-vrf-c7200-vxr/td-p/2214290?dtid=osscdc000283

 

Hope to help

Giuseppe

 

View solution in original post

3 Replies 3

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-10-2020 08:30 AM - edited ‎08-10-2020 08:38 AM

Hello @pcweber ,

you can apply an ACL under line vty 0 4 or whatever you have and you can define what source IP addresses are allowed to SSH to your device (when using a standard ACL in the access-class 11 in command)

As an alternative you can use an extended IP ACL that specifies the mgmt interface IP address as the only accepted destination.

 

Something like

access-list 122 permit tcp 10.10.10.0 0.0.0.255 host 10.20.20.25 eq 22

 

warning: when you make tests with ACLs on line vty try the effects by opening additional SSH sessions to the device to avoid to lock you out of it. Use the original session for all config changes and to check the current sessions with show users.

 

Edit:

you likely need an additional keyword

access-class 122 in vrf-also

 

see

https://community.cisco.com/t5/switching/vty-acl-weird-behaviour-with-vrf-c7200-vxr/td-p/2214290?dtid=osscdc000283

 

Hope to help

Giuseppe

 

Go to solution
pcweber
Level 1
Level 1
In response to Giuseppe Larosa

‎08-10-2020 08:52 AM

Changing this line below...

access-class 16 in vrf-also

 

to this line bow achieved my goal! thanks

access-class 16 in vrfname Mgmt-intf

0 Helpful

Go to solution
pcweber
Level 1
Level 1
In response to pcweber

‎08-12-2020 06:38 AM

FYI, I have found some models/ versions of IOS dont have the below command.

 

access-class xx in vrfname Mgmt-intf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card