
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2015 09:29 AM - edited 03-08-2019 01:06 AM
I have a WS-C3850-48T switch running version 03.03.03SE with several SVIs configured. I want to block ssh access to some of the SVIs. What is the easiest way to do that? Do I create an ACL and apply it to the SVI? What command do I use for that because "access-list" doesn't look to be an option for ans SVI in configuration terminal mode so I'm not sure how to apply any ACL I create? If I create an ACL it won't be applied globally to the switch, right? Essentially, I just want to to create some rule that blocks users from gaining ssh access to the SVI of some of the VLANs.
Any help would be appreciated.
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2015 10:04 AM
Hi you can block ssh to any devices which are part of an SVI or the whole subnet itself , below example would be blocking anything in vlan 101 ssh in or out but allowing everything else as well, only applied to the specific vlan 101 as an example for you
access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22
access-list 101 permit ip any any
Then on your layer 3 SVI under the vlan interfa ce apply it in or outbound
Interface vlan 101
ip address 172.21.100.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2015 10:04 AM
Hi you can block ssh to any devices which are part of an SVI or the whole subnet itself , below example would be blocking anything in vlan 101 ssh in or out but allowing everything else as well, only applied to the specific vlan 101 as an example for you
access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22
access-list 101 permit ip any any
Then on your layer 3 SVI under the vlan interfa ce apply it in or outbound
Interface vlan 101
ip address 172.21.100.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2015 06:34 AM
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2015 04:03 AM
Hello
access-list 101 permit tcp any host x.x.x.x eq ssh
class-map match-all ssh-cm
match access-group 101
policy-map ssh_pm
class ssh-cm
drop
class class-default
Edited - stratch this - misread your OP - thought you were on about to the core itself - apologies
res
Paul
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2015 06:34 AM
Thanks!
