accessing a switch via ssh from many ip addresses

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2017 02:41 PM - edited 03-08-2019 12:14 PM
Hello our Core switch has all routed links connecting to it. It seems that every time I open a putty session and enter the IP address of any of those routed links, I can access the switch. I would like to only access the switch from the managment ip/network. How can I restric this in different ways? is ACL in the only way? does anyone have any other methods or ideas?
Thanks in advance
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2017 02:48 PM - edited 10-03-2017 02:57 PM
Hi
Could you please provide more details about routed links? Are you using layer 3 switches? You could use loopbacks and advertise them to manage the devices.
Usually you can create an ACL to be applied under the virtual terminal lines in order to allow the access to specific devices. Also you could combine that with TACACS+, Radius or ACS devices.
>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2017 03:00 PM - edited 10-03-2017 03:01 PM
Sorry, yes, this is an MLS switch running OSPF.
Here is what the routed link from our distrubrtion switch to core switch looks like. I executed this command on the core switch
#Core1
interface Port-channel100
description Routed Link to distrubtion switch
ip address 17.12.0.38 255.255.255.252
ip pim dr-priority 100
ip pim sparse-dense-mode
ip ospf network point-to-point
ip ospf 1 area 0
logging event link-status
storm-control broadcast level 5.00
storm-control action trap
All the routed links are configured the exact same way. If I was to enter 17.12.0.38 on putty, it would take me to the core switch login page. I would like to only access it from the manangemet vrf IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2017 03:28 PM - edited 10-03-2017 03:30 PM
Hi
If you want to reach the device through other IP than the routed interface's IP, you can create a loopback on each the device, example:
No VRF
interface loopback 0
ip address 10.0.0.1 255.255.255.255
router ospf 1
net 10.0.0.1 0.0.0.0 area 0
With VRF
interface loopback 0
ip vrf forwarding VRF-NAME
ip address 10.0.0.1 255.255.255.255
router ospf 1 vrf VR-NAME
net 10.0.0.1 0.0.0.0 area 0
This IP 10.0.0.1 must be advertised to other OSPF neighbor to be able to reach it.
>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2017 01:02 PM
I am not clear what is your requirement. You have told us this " I would like to only access the switch from the management ip/network". When you say from the management network do you mean that the request comes from the management network (source address is in the management network) or do you mean that the request goes to the management ip (destination address is the management address)?
The former is easy to accomplish using access-class assigned to the vty ports. The latter is much more challenging. You would need something like Control Plane Policing to accomplish this.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2017 01:06 PM
It's unfortunately the latter. I remmeber reading about control plane policing along time ago now that you mention it. Yes, that is difficult. So it seems that ACL is the only feasible option. My co-woker mentioned that control plane policing isn't actually even supported on the image we're using.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2017 01:13 PM
Woulnd't we need to advertise the routed links into OSPF also? Sorry, really rusty there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2017 01:56 PM - edited 10-04-2017 01:59 PM
Hi
If they are connecting to other layer 3 device you should advertise the routed links into OSPF, in order to be able to forward packets.
In order to manage a Layer 3 device, you can use the routed link IP configured on the device or a loopback being advertised by a routing protocol. Now to restrict the access for specific IP addresses you can use ACLs as recommended previously.
>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2017 02:20 PM
As I stated previously controlling remote access by controlling the source address is easy to accomplish using access-class and an access list. But controlling remote access by controlling the destination address is quite challenging. The best way to do this is with Control Plane Policing. But I wondered as I wrote my suggestion whether this feature would be supported on your switch. Sorry that it looks like it is not supported.
There is one other alternative that you can consider. I hesitate to suggest it because it is complicated and somewhat error prone. But if implemented carefully and correctly it should work. The suggestion involves assigning an access list on every layer 3 interface of the switch. What makes it complicated is that you have multiple layer 3 interfaces on which an SSH request might be received. The access list on each interface needs to deny any SSH request whose destination address is any of your layer 3 addresses other than your management ip. The access list then needs to permit any SSH request whose destination is your management ip. And the access list needs to permit any SSH request who destination is not one of your switch IP addresses. It is ugly but it should work. It reminds me a bit of some of the scenarios I worked out while preparing for the CCIE lab.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2017 08:12 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2017 12:34 PM
You are quite welcome. I am glad that our responses have been helpful. I hope to see you continue to be active in the forum.
HTH
Rick
Rick
