Showing results for 
Search instead for 
Did you mean: 

Limiting SSH to Loopback Address Only

Level 1
Level 1

I am attempting to stop ssh to any IP on my switches accept the loopback address. I have created a few different access lists and applied them as an access-class on the vty lines, but this just locks me out of the switch all together. 


Here is the issue, we have a vuln scanner that logs into our devices and provides a report of items found, but it keeps logging into the wrong interface so the report does not include the DNS name of the device... I want to stop SSH into VLAN IPs or uplink IPs to get the more readable report and when the scanner hits more than one address on the same device it reports the vulns for each IP address. 


Below is an example of what I attempted and was unable to access my test switch after the changes.


The point is to allow SSH only to the loopback interface, not initially to limit where it is coming from.


access-list 101 permit 22 any host

line vty 0 4

access-class 101 in 


I have done a few more variations but it does not seem to matter as soon as this goes on it blocks access to VTY lines. 

1 Accepted Solution
4 Replies 4

Thanks for the link, that is the response I needed. 

Glad to help.

Good luck!



I'm also experiencing this same issue, however, I don't see a drop command for the policy map. I tried setting the policy map to "police 32000 conform-action drop exceed-action drop violate-action drop" but I was still able to get in using the SVI IP. Is there a better solution rather than applying a ACL to each interface?

Review Cisco Networking for a $25 gift card