Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5530
Views
0
Helpful
4
Replies

Limiting SSH to Loopback Address Only

Go to solution
jmhouse96
Level 1
Level 1

‎02-14-2020 12:59 PM - edited ‎02-14-2020 01:01 PM

I am attempting to stop ssh to any IP on my switches accept the loopback address. I have created a few different access lists and applied them as an access-class on the vty lines, but this just locks me out of the switch all together. 

 

Here is the issue, we have a vuln scanner that logs into our devices and provides a report of items found, but it keeps logging into the wrong interface so the report does not include the DNS name of the device... I want to stop SSH into VLAN IPs or uplink IPs to get the more readable report and when the scanner hits more than one address on the same device it reports the vulns for each IP address. 

 

Below is an example of what I attempted and was unable to access my test switch after the changes.

 

The point is to allow SSH only to the loopback interface, not initially to limit where it is coming from.

 

access-list 101 permit 22 any host 10.10.10.10

line vty 0 4

access-class 101 in 

 

I have done a few more variations but it does not seem to matter as soon as this goes on it blocks access to VTY lines. 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
jmhouse96
Level 1
Level 1
In response to Reza Sharifi

‎02-14-2020 01:58 PM

Thanks for the link, that is the response I needed. 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to jmhouse96

‎02-14-2020 03:21 PM

Glad to help.

Good luck!

 

0 Helpful

Go to solution
YusifAlexis22
Level 1
Level 1
In response to Reza Sharifi

‎03-04-2020 12:16 PM

Hello, 

I'm also experiencing this same issue, however, I don't see a drop command for the policy map. I tried setting the policy map to "police 32000 conform-action drop exceed-action drop violate-action drop" but I was still able to get in using the SVI IP. Is there a better solution rather than applying a ACL to each interface?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card