cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2056
Views
0
Helpful
2
Replies

Locking access to SSH on Cisco SDWAN

Tim_J_RC
Level 1
Level 1

Is there a way to lockdown management access to a Cisco SDWAN device similiar to using Access lists on VTY ports on IOS routers?   We are trying to harden our vEdges 1000's.    

 

Thanks,

 

2 Replies 2

Like in IOS routers ACLs can also be configured and applied to vEdges WAN interfaces for Access Control.

 

Could be something like this.

policy 

access-list AllowManagement
sequence 10
match
source-ip  (Source IP for SSH Management)
!
action accept
count ManagementPackets
!
!
sequence 20
match
destination-port 22
!
action drop
count ssh_drop
!
!
default-action accept

------------------------

 

vpn 0
interface ge0/0

description "Wan Interface"
access-list AllowManagement in

 

-------------------------------------

Please check the following URL for more detail.

 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html#wp4108860411

Jayson Velasco
Level 1
Level 1

By default, TLS and IPSec are the only ones allowed on the Transport side, for example, apart from protocols vEdge needs for ZTP/PnP Connect. Given this, the device is in "lockdown" even after deployment unless a policy on vManage has SSH services permitted.

Check "Serviceability for Next Generation SD-WAN - BRKCRS-2112" at 1:12:44 in Cisco Live as well.

 

! From vEdge Default Configuration reference from Cisco
vpn 0
interface ge2/0
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
  !
  no shutdown
 !
!
vpn 512
interface mgmt0
  ip address 192.168.1.1/24
  no shutdown
!

Hope this helps, Tim. :)