Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5537
Views
5
Helpful
4
Replies

How can I block ssh access to an SVI?

Go to solution
rweir0001
Level 1
Level 1

‎07-24-2015 09:29 AM - edited ‎03-08-2019 01:06 AM

I have a WS-C3850-48T switch running version  03.03.03SE with several SVIs configured. I want to block ssh access to some of the SVIs. What is the easiest way to do that? Do I create an ACL and apply it to the SVI? What command do I use for that because "access-list" doesn't look to be an option for ans SVI in configuration terminal mode so I'm not sure how to apply any ACL I create? If I create an ACL it won't be applied globally to the switch, right? Essentially, I just want to to create some rule that blocks users from gaining ssh access to the SVI of some of the VLANs.

Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎07-24-2015 10:04 AM

Hi  you can block ssh to any devices which are part of an SVI or the whole subnet itself , below example would be blocking anything in vlan 101 ssh in or out  but allowing everything else as well, only applied to the specific vlan 101 as an example for you

access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22

access-list 101 permit ip any any

Then on your layer 3 SVI under the vlan interfa ce apply it in or outbound

Interface vlan 101

ip address 172.21.100.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎07-24-2015 10:04 AM

Hi  you can block ssh to any devices which are part of an SVI or the whole subnet itself , below example would be blocking anything in vlan 101 ssh in or out  but allowing everything else as well, only applied to the specific vlan 101 as an example for you

access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22

access-list 101 permit ip any any

Then on your layer 3 SVI under the vlan interfa ce apply it in or outbound

Interface vlan 101

ip address 172.21.100.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

0 Helpful

Go to solution
rweir0001
Level 1
Level 1
In response to Mark Malone

‎08-03-2015 06:34 AM

Thanks!

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-25-2015 04:03 AM

Hello

 

access-list 101 permit tcp any host x.x.x.x eq ssh

 

class-map match-all ssh-cm
 match access-group 101

 

policy-map ssh_pm
 class ssh-cm
   drop
 class class-default


Edited - stratch this -  misread your OP - thought you were on about to the core itself - apologies

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
rweir0001
Level 1
Level 1
In response to paul driver

‎08-03-2015 06:34 AM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card