Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3480
Views
0
Helpful
4
Replies

ssh access to Layer 3 specific interface

Go to solution
cyberops123
Level 1
Level 1

‎04-02-2018 12:25 PM - edited ‎02-21-2020 07:35 AM

Hi

 

I am just reviewing one of our L3 cisco router and I am seeing there are 4 different VLAN interfaces configured with IP addresses (wireless , Data , Video , Management ) when I do ssh to this switch from my desktop I am able to use any of these IP addresses on the switch and ssh works fine . MY concern is if this is a security issue or is there any other way we can only ssh to certain IP address on the switch for security concern ?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
EduardR
Level 1
Level 1
In response to cyberops123

‎04-02-2018 01:30 PM

You can make an extended ACL pointing to the device IP like this:

ip access-list extended NoSSH
 deny tcp host <IP> any eq 22
 permit ip any any

and apply it to each of the SVI, for example:

ip access-list extended NoSSH
 deny tcp host 10.2.0.1 any eq 22
 permit ip any any

interface vlan 10
 ip access-group NoSSH in

View solution in original post

0 Helpful
4 Replies 4

Go to solution
EduardR
Level 1
Level 1

‎04-02-2018 12:59 PM

Hi

By default, your device answer ssh connections from all the interfaces VLAN, you can restrict that by using ACL that prohibits incoming SSH in the interfaces you want to

0 Helpful

Go to solution
cyberops123
Level 1
Level 1
In response to EduardR

‎04-02-2018 01:22 PM

well only ACL for ssh I know is basically specifying individual hosts or networks that can access to my device and apply in under line vty connection  . for example below is my current ssh configuration

 

access-list 100 permit ip 10.1.x.0 0.0.255.255 any
access-list 100 permit ip 10.x.x.0 0.0.0.255 any

 

line vty 0 4
access-class 100 in
exec-timeout 9 0
transport input ssh

 

so as far as I know this will give access to those networks below to my network device . but I want to to use only one of the SVI interfaces for ssh , if there is any ssh attempt o other SVIs it should be denied .

currently

I have fallowing SVIs are availables below 

 

vlan 10     10.2.0.1

vlan 20     10.2.30.1

vlan 30     10.2.40.1

 

 

 

0 Helpful

Go to solution
EduardR
Level 1
Level 1
In response to cyberops123

‎04-02-2018 01:30 PM

You can make an extended ACL pointing to the device IP like this:

ip access-list extended NoSSH
 deny tcp host <IP> any eq 22
 permit ip any any

and apply it to each of the SVI, for example:

ip access-list extended NoSSH
 deny tcp host 10.2.0.1 any eq 22
 permit ip any any

interface vlan 10
 ip access-group NoSSH in
0 Helpful

Go to solution
cyberops123
Level 1
Level 1
In response to EduardR

‎04-02-2018 01:39 PM

awesome thats exactly what I was asking .

Thanks again
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card