Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6093
Views
5
Helpful
1
Replies

Nexus 7010 - How to block SSH access on SVI interfaces

Khoa Pham
Level 1
Level 1

‎06-04-2012 08:56 AM - edited ‎03-07-2019 07:03 AM

I use Nexus 7010 as our layer 3 router.

I have ssh feature turned on so I can manage it from the management interface.

I just found out that users can use putty to ssh to the local SVI interface of the NEXUS. Although they still need username and password to login but we dont want them even able to bring up the welcome screen.

Example, user's IP is : 172.16.25.100 , they can ssh to 172.16.25.1 which is the NX SVI interface

How to block that?

Please advise.

Thank you.

Labels:
0 Helpful
1 Reply 1

Ivan Shirshin
Cisco Employee
Cisco Employee

‎06-04-2012 10:43 AM

Hi Khoa,

You should apply an access class to the VTY port to restrict SSH and Telnet access by specific source and destination  IP addresses.

In your case you can put a deny statement first for IP of the user and then permit everything else as 2nd line of ACL. 

n7000(config)# ip access-list vty-acl-in


n7000(config-acl)# deny tcp host 172.16.25.100 any eq 22
n7000(config-acl)# permit ip any any



n7000(config)# line vty


n7000(config-line)# ip access-class vty-acl-in in

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan
Customers Also Viewed These Support Documents