Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5223
Views
0
Helpful
5
Replies

SSH Access On Specific IP

Go to solution
Mitesh Manwatkar
Level 1
Level 1

‎03-12-2014 04:30 AM - edited ‎02-21-2020 05:07 AM

Hi,

I have configured 10 interface vlan on my cisco core switch 6509.

However I want my users SSH it on management IP only. SSH access on other IP (defined for each interface vlan) should be blocked by switch.

Kindly suggest how to configure this.

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-12-2014 06:10 AM

The easiest way to achieve that is to bind an access-list to your vty-line. This access-list is normally a standard-ACL, but this time you use an extended ACL that uses your management-IP as the destination:

EDIT: No, that doesn't work as proposed! Please see the other posts.

ip access-list extended MGMT-TRAFFIC

  permit tcp SOURCE-NET host 10.10.10.10 eq 22

line vty 0 4

  access-class MGMT-TRAFFIC in

 

In this example SOURCE-NET is the IP-Network where your management-traffic comes from and 10.10.10.10 is the management-IP on your device.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎03-12-2014 06:10 AM

The easiest way to achieve that is to bind an access-list to your vty-line. This access-list is normally a standard-ACL, but this time you use an extended ACL that uses your management-IP as the destination:

EDIT: No, that doesn't work as proposed! Please see the other posts.

ip access-list extended MGMT-TRAFFIC

  permit tcp SOURCE-NET host 10.10.10.10 eq 22

line vty 0 4

  access-class MGMT-TRAFFIC in

 

In this example SOURCE-NET is the IP-Network where your management-traffic comes from and 10.10.10.10 is the management-IP on your device.

0 Helpful

Go to solution
Mitesh Manwatkar
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2014 06:10 AM

Thanks Karsten...for the reply....it is a great help....

0 Helpful

Go to solution
Uwe Siegrist
Level 1
Level 1

‎03-13-2014 07:27 AM

Karsten, have you tried this before?

I'm having this problem all the time and  i think it's not working. I think i read this years ago that you can't use the destination part of an extended acl in your line vty context. I have just tried this and it not working for me. I can't access vty anymore (on 3750-x with ios 15.0).

I tried this acl to find out why:

ip access-list extended MGMT-TRAFFIC

  permit tcp any host 10.10.10.10 eq 22 log

  permit tcp any any eq 22 log

When i try to ssh in to 10.10.10.10 it works ONLY when there is "permit tcp any any". You can see the the acl counter rising on this "any" ace and you can see a log entry which is saying there is a packet to 0.0.0.0:23 (instead of expected 10.10.10.10:23). So the first ace did not fire. The question is why?

 

So my question, can you confirm this definitly works like you described and i'm doing something wrong?

 

Best regards, Uwe

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Uwe Siegrist

‎03-14-2014 05:36 PM

I just wanted to answer "yes, I used that before", but then while thinking about it I imagined: "no, not exactly that way".

I used extended access-list in access-classes for limiting access to port 22 when SSH was running on a different port, but in all these cases the destination was "any". So I tried it again with an IP-destination and you were right. When the destination is not "any", then the ACE doesn't match any more.

So lets find a different way to achieve that. Next to mind comes Control-plane protection:

ip access-list extended SSH-ALLOWED
 permit tcp any host 10.255.192.225 eq 22
ip access-list extended SSH-DENIED
 permit tcp any any eq 22
!
class-map match-all SSH-ALLOWED
 match access-group name SSH-ALLOWED
class-map match-all SSH-DENIED
 match access-group name SSH-DENIED
!
policy-map HOST
 class SSH-ALLOWED
 class SSH-DENIED
  drop
!
control-plane host
 service-policy input HOST

With that SSH to the IP 10.255.192.225 works while SSH to the other addresses doesn't work any more:

c2801#sh policy-map control-plane host
 Control Plane Host

  Service-policy input: HOST

    Class-map: SSH-ALLOWED (match-all)
      577 packets, 47031 bytes
      5 minute offered rate 2000 bps
      Match: access-group name SSH-ALLOWED

    Class-map: SSH-DENIED (match-all)
      8 packets, 608 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name SSH-DENIED
      drop

    Class-map: class-default (match-any)
      26 packets, 2979 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Well, this is a router, and I think it's not supported that way on the Catalyst. But at least control-plane policing should work (on the 6k5, the smaller Catalysts are a different story). At the moment I don't have a Catalyst to play with, but what would be different:

  1. The policy-map is applied to the "control-plane" instead of the "control-plane host"
  2. When the "drop" action is not available, then the policer should instead drop conforming traffic
  3. It's harder to make sure that you don't police traffic that should just flow through 

Here are some links on CoPP:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/control_plane_policing_copp.html

0 Helpful

Go to solution
SOcchiogrosso
Level 4
Level 4

‎03-15-2014 07:05 PM

Depending on device specify a management interface and the management protocol that should have access to the management along with the proper ACLs.
-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card