cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
625
Views
0
Helpful
4
Replies
Beginner

ssh access to Layer 3 specific interface

Hi

 

I am just reviewing one of our L3 cisco router and I am seeing there are 4 different VLAN interfaces configured with IP addresses (wireless , Data , Video , Management ) when I do ssh to this switch from my desktop I am able to use any of these IP addresses on the switch and ssh works fine . MY concern is if this is a security issue or is there any other way we can only ssh to certain IP address on the switch for security concern ?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: ssh access to Layer 3 specific interface

You can make an extended ACL pointing to the device IP like this:

ip access-list extended NoSSH
 deny tcp host <IP> any eq 22
 permit ip any any

and apply it to each of the SVI, for example:

ip access-list extended NoSSH
 deny tcp host 10.2.0.1 any eq 22
 permit ip any any

interface vlan 10
 ip access-group NoSSH in
4 REPLIES 4
Highlighted
Beginner

Re: ssh access to Layer 3 specific interface

Hi

By default, your device answer ssh connections from all the interfaces VLAN, you can restrict that by using ACL that prohibits incoming SSH in the interfaces you want to

Beginner

Re: ssh access to Layer 3 specific interface

well only ACL for ssh I know is basically specifying individual hosts or networks that can access to my device and apply in under line vty connection  . for example below is my current ssh configuration

 

access-list 100 permit ip 10.1.x.0 0.0.255.255 any
access-list 100 permit ip 10.x.x.0 0.0.0.255 any

 

line vty 0 4
access-class 100 in
exec-timeout 9 0
transport input ssh

 

so as far as I know this will give access to those networks below to my network device . but I want to to use only one of the SVI interfaces for ssh , if there is any ssh attempt o other SVIs it should be denied .

currently

I have fallowing SVIs are availables below 

 

vlan 10     10.2.0.1

vlan 20     10.2.30.1

vlan 30     10.2.40.1

 

 

 

Beginner

Re: ssh access to Layer 3 specific interface

You can make an extended ACL pointing to the device IP like this:

ip access-list extended NoSSH
 deny tcp host <IP> any eq 22
 permit ip any any

and apply it to each of the SVI, for example:

ip access-list extended NoSSH
 deny tcp host 10.2.0.1 any eq 22
 permit ip any any

interface vlan 10
 ip access-group NoSSH in
Beginner

Re: ssh access to Layer 3 specific interface

awesome thats exactly what I was asking .

Thanks again