cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

289
Views
0
Helpful
2
Replies
Highlighted
Beginner

Locking access to SSH on Cisco SDWAN

Is there a way to lockdown management access to a Cisco SDWAN device similiar to using Access lists on VTY ports on IOS routers?   We are trying to harden our vEdges 1000's.    

 

Thanks,

 

2 REPLIES 2
Highlighted

Like in IOS routers ACLs can also be configured and applied to vEdges WAN interfaces for Access Control.

 

Could be something like this.

policy 

access-list AllowManagement
sequence 10
match
source-ip  (Source IP for SSH Management)
!
action accept
count ManagementPackets
!
!
sequence 20
match
destination-port 22
!
action drop
count ssh_drop
!
!
default-action accept

------------------------

 

vpn 0
interface ge0/0

description "Wan Interface"
access-list AllowManagement in

 

-------------------------------------

Please check the following URL for more detail.

 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html#wp4108860411

Highlighted
Beginner

By default, TLS and IPSec are the only ones allowed on the Transport side, for example, apart from protocols vEdge needs for ZTP/PnP Connect. Given this, the device is in "lockdown" even after deployment unless a policy on vManage has SSH services permitted.

Check "Serviceability for Next Generation SD-WAN - BRKCRS-2112" at 1:12:44 in Cisco Live as well.

 

! From vEdge Default Configuration reference from Cisco
vpn 0
interface ge2/0
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
  !
  no shutdown
 !
!
vpn 512
interface mgmt0
  ip address 192.168.1.1/24
  no shutdown
!

Hope this helps, Tim. :)