Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
10
Helpful
3
Replies

interface restrictions

Go to solution
suthomas1
Level 6
Level 6

‎07-22-2020 08:28 PM - edited ‎07-22-2020 08:40 PM

Good day all,

 

In a layer 3 switch with multiple svi, how can we disable ssh access for all the svi interfaces.

If a switch has 3 vlans - vlan 10, vlan 11, vlan 12 ; these svi should not permit any ssh or telnet service to it.

These vlan interface do not have any acl on them.

those services should be only through management designated interfaces.

 

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to suthomas1

‎07-23-2020 03:04 AM

Hello @suthomas1 ,

I am afraid the source-interface command is effective only for outbound SSH sessions when the device is used to connect in SSH to another device.

To force incoming SSH sessions to be accepted only on one specific interface I think you should use an IP extended ACL applied to the line vty

 

something like

access-list 111 permit tcp any host 192.168.1.1 eq 22

 

line vty 0 4

access-class 111 in

 

But I advise you that using extended ACLs on line vty it is tricky and can lead to undesired results.

 

Hope to help

Giuseppe

 

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-22-2020 10:52 PM

how about configuring source interface.

 

ip ssh source-interface interface

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp5893687220

 

You can also have simple ACL to coming in to VTY Lines - example 

 

ip access-list standard ALLOW-SSH
permit 192.168.100.0 0.0.0.255

line vty 0 15
transport ssh
access-class ALLOW-SSH in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
suthomas1
Level 6
Level 6
In response to balaji.bandi

‎07-22-2020 11:15 PM

we want to avoid using access list. if all vlans can be permitted not be used for ssh access with the use of that source-interface command, then that is the preferred choice.

 

appreciate the help.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to suthomas1

‎07-23-2020 03:04 AM

Hello @suthomas1 ,

I am afraid the source-interface command is effective only for outbound SSH sessions when the device is used to connect in SSH to another device.

To force incoming SSH sessions to be accepted only on one specific interface I think you should use an IP extended ACL applied to the line vty

 

something like

access-list 111 permit tcp any host 192.168.1.1 eq 22

 

line vty 0 4

access-class 111 in

 

But I advise you that using extended ACLs on line vty it is tricky and can lead to undesired results.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents