Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15521
Views
0
Helpful
6
Replies

How to disable SSH into the port

getaway51
Level 2
Level 2

‎09-18-2019 12:10 AM

Hi,

 

How can I disable SSH for port Gi0/23 which is connected to a device. I cant disable SSH in the device. Therefore need to disable SSH & BLOCK it in the network layer.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2019 12:23 AM

is this port Layer2 ? or layer 3.

 

either case you can use ACL for the device into SSH from.

 

access-list 5 permit 192.168.1.1  <<- change the IP as per your requirement.

 

line vty 0 4

access-class 5 in

transport input ssh 

!

line vty 5 15

access-class 5 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

getaway51
Level 2
Level 2
In response to balaji.bandi

‎09-18-2019 12:25 AM

Hi,

 

I mean ONLY disable SSH for the port where the device is connected. Not disable SSH into the switch. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to getaway51

‎09-18-2019 12:37 AM

unfortunately, i have edited that post and added the comments its missed.

 

You can do the for the device connected to the port, as per my understanding no one like to ssh to that device connects to port

 

then you can have ACL deny any eq to port 22, apply the acl to VLAN or port

 

 

access-list extended IN_SSH
 deny tcp any host DEVICE_IP eq 22

interface vlan X
ip access-group IN_SSH in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP

‎09-18-2019 01:08 AM - edited ‎09-18-2019 01:11 AM

Hello

Another alternative and quite elegant is the use of MPP
You can apply MPP to use a specific interfaces for all or certain mgt protocols and if that interface isnt defined in this MPP policy then it isn't allowed to be used

 

control-plane host
management-interface x/x allow
management-interface  x/y allow ssh ftp
exit

show management-interface
Management interface x/y
Protocol Packets processed
ssh 0
telnet 0

Management interface x/x
Protocol Packets processed
ftp 0
http 0
https 0
ssh 0
tftp 0
snmp 0
beep 0
telnet 0
tls 0
tl1 0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Karsten Iwen
VIP
VIP

‎09-18-2019 04:56 AM

I think the easiest option is still missing from the recommendations:

Just configure a Port-ACL and attach it to the switchport pointing to that device.

It could look like the following:

ip access-list extended UNTRUSTED-DEVICE
  deny tcp any any eq 22
  ! or if only SSH to the local switch-IP 10.10.10.10
  ! should be denied:
  deny tcp any host 10.10.10.10 eq 22
  permit ip any any
!
interface gig 0/23
  ip access-group UNTRUSTED-DEVICE in
0 Helpful

paul driver
VIP
VIP
In response to Karsten Iwen

‎09-18-2019 05:00 AM

@Karsten Iwen I was on the understanding that was already suggested by @balaji.bandi however looking at it again it was a suggested racl not pacl

 

So I guess all bases are now covered for the OP to choose from!


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card