cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

169
Views
0
Helpful
6
Replies
Beginner

How to disable SSH into the port

Hi,

 

How can I disable SSH for port Gi0/23 which is connected to a device. I cant disable SSH in the device. Therefore need to disable SSH & BLOCK it in the network layer.

6 REPLIES 6
Highlighted
VIP Advisor

Re: How to disable SSH into the port

is this port Layer2 ? or layer 3.

 

either case you can use ACL for the device into SSH from.

 

access-list 5 permit 192.168.1.1  <<- change the IP as per your requirement.

 

line vty 0 4

access-class 5 in

transport input ssh 

!

line vty 5 15

access-class 5 in

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: How to disable SSH into the port

Hi,

 

I mean ONLY disable SSH for the port where the device is connected. Not disable SSH into the switch. 

VIP Advisor

Re: How to disable SSH into the port

unfortunately, i have edited that post and added the comments its missed.

 

You can do the for the device connected to the port, as per my understanding no one like to ssh to that device connects to port

 

then you can have ACL deny any eq to port 22, apply the acl to VLAN or port

 

 

access-list extended IN_SSH
 deny tcp any host DEVICE_IP eq 22

interface vlan X
ip access-group IN_SSH in

 

BB
*** Rate All Helpful Responses ***
VIP Advisor

Re: How to disable SSH into the port

Hello

Another alternative and quite elegant is the use of MPP
You can apply MPP to use a specific interfaces for all or certain mgt protocols and if that interface isnt defined in this MPP policy then it isn't allowed to be used

 

control-plane host
management-interface x/x allow
management-interface  x/y allow ssh ftp
exit

show management-interface
Management interface x/y
Protocol Packets processed
ssh 0
telnet 0

Management interface x/x
Protocol Packets processed
ftp 0
http 0
https 0
ssh 0
tftp 0
snmp 0
beep 0
telnet 0
tls 0
tl1 0



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
VIP Mentor

Re: How to disable SSH into the port

I think the easiest option is still missing from the recommendations:

Just configure a Port-ACL and attach it to the switchport pointing to that device.

It could look like the following:

ip access-list extended UNTRUSTED-DEVICE
  deny tcp any any eq 22
  ! or if only SSH to the local switch-IP 10.10.10.10
! should be denied: deny tcp any host 10.10.10.10 eq 22 permit ip any any ! interface gig 0/23 ip access-group UNTRUSTED-DEVICE in
VIP Advisor

Re: How to disable SSH into the port

@Karsten Iwen I was on the understanding that was already suggested by @balaji.bandi however looking at it again it was a suggested racl not pacl

 

So I guess all bases are now covered for the OP to choose from!



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards