Thank You So Much @balaji.bandi I Do Deeply Appreciate Your Consistency In Selflessly Helping.  I Am Currently Overseeing Training This Week (I Juggle Two Hats Project Management & Network Lead) But Next Week I Will Do The Configurations On The Switches. I Am Sure It Will Work.

I Will Share The Feedback.

Cheers

Shaqx

Sure some time need to play different Roles to meet the requirement of the business that is understandble.

please let us know how it goes.. thanks

Shaqxify

The suggestion from @balaji.bandi for option 2 looks logical but unfortunately it will not work as you want. When using access-class the normal practice is to use standard access list, which identifies the originating device IP address. When you use an extended access list for access-class inbound it ignores the destination address that you have specified (treats is as any). So you would not be able to limit access attempts to only the one interface address using access-class with extended access list..

The first part of your requirement is easy - you can limit access to the 2 source addresses using access-class on the vty which would use a standard access list, as was suggested in previous responses. The second part where you want to control which address is used for access is not easy. We do not know what model of switch or what version of code you are running so we are not sure which alternatives you could use.

1) Perhaps something like Control Plane Policing could be used to control remote access in a way that achieves both of your requirements.

2) Use an extended access list specifying both the source address and destination address for SSH. The logic might be something like this:

- You would need entries to permit each of the source addresses to the single destination address that you want.

- You would then need entries to deny any source to each of the L3 interface addresses on the switch for SSH.

- These parts of the access list would need to be applied to every L3 interface on the switch. If a L3 interface already has an inbound access list applied then this logic needs to be added to the existing acl and preferably would be the very first statements in the acl (you want to be sure that existing acl entries would not permit the access that you are trying to deny).

If a L3 interface does not already have an inbound access list applied then you need to create an access list with this logic and then a permit any for all other traffic.

Hi Richard,

I am working with Cisco 2960x Switch Running on c2960x-universalk9-mz.152-7.E3.bin IOS image. Any further contribution from you will be highly appreciated.

How about creating more ACLs in option 2 barring SSH to the other SVIs? Just a thought.

option2

ip access-list extended 100
permit tcp host 192.168.1.1 host 192.168.1.177 eq ssh
permit tcp host 192.168.1.2 host 192.168.1.177 eq ssh
deny tcp host 192.168.1.1 host 172.16.3.126 eq ssh
deny tcp host 192.168.1.1 host 172.16.2.126 eq ssh
deny tcp host 192.168.1.1 host 172.16.3.190 eq ssh

line vty 0 4
access-class 100 in
transport input ssh

@balaji.bandi @Reza Sharifi  You all are welcome to weigh in on this.

Much respect to you guys,

Shaqx

Shaqx

Apparently you did not understand my previous explanation. So let me try again. When you apply an access list using access-class (rather than access-group) the behavior is different from what you expect. The processing of the access list will not match on destination addresses but only matches on source addresses. So your attempt to use extended access list in access-class will not achieve what you want.

Thanks @Reza Sharifi  I Deeply Appreciatte You Valuable Contribution I Will Let You Know How It Goes.

Respect & Regards,

Shaqx