Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
0
Helpful
11
Replies

SSH, SFTP, ICMP, SNMP BLOCK through access list cisco 9300 switch

ddesai
Level 1
Level 1

‎08-04-2023 11:30 AM

Hi Team,

How can i block SSH through access list ?

Could you please provide me step by step configuration ?

 

Thanks,

DD

Labels:
0 Helpful
11 Replies 11

Flavio Miranda
VIP
VIP

‎08-04-2023 11:42 AM

Hi @ddesai 

 You need to create an Access list on the switch blocking the traffic you want and allowing the traffic that is necessary.

For example, you want to block the network 192.168.1.0/24 to access the switch.

conf t

ip access-list extended 100

 deny 192.168.1.0 0.0.0.255

permit ip any any

Then, you need to apply this access list on the line vty

line vty 0 4

access-class 100  in

line vty 5 15

access-class 100 in

0 Helpful

ddesai
Level 1
Level 1
In response to Flavio Miranda

‎08-04-2023 02:02 PM

I want to allow only one public and one LAN ip address to access from internet. 

Can we allow only two ip and rest of deny ?

0 Helpful

ddesai
Level 1
Level 1

‎08-04-2023 01:44 PM

Thanks for the update.
I want to block from outside network SSH and ICMP and SFTP and SNMP.

0 Helpful

Flavio Miranda
VIP
VIP
In response to ddesai

‎08-04-2023 01:48 PM

You need to know the source of the traffic first and organize the Access List based on that.

 For SSH, you can do exactly how I told you using the VTY ACL.

For ICMP, SFTP and SNMP is different. You still need the ACL but you will apply the ACL on the management interface or interface vlan used for management. 

0 Helpful

ddesai
Level 1
Level 1
In response to Flavio Miranda

‎08-04-2023 01:51 PM

Thanks for the update.
Will check and update.
0 Helpful

ddesai
Level 1
Level 1
In response to Flavio Miranda

‎08-04-2023 02:08 PM

Can we do

ip access-list extended 105

60 deny ip any any
70 permit tcp any host switch Mgmt ip address
80 permit tcp any host switch public ip address eq 22

0 Helpful

ddesai
Level 1
Level 1
In response to ddesai

‎08-04-2023 02:09 PM

Can we use instead of line VTY 04-line VTY 0 3

0 Helpful

ddesai
Level 1
Level 1
In response to ddesai

‎08-04-2023 02:36 PM

Following command does not work.

its block my local ip for ssh too

ip access-list extended 105

110 deny tcp host (public ip address) eq 22 any ( to disable ssh)
permit ip any any

ine vty 0 3

access-class 100 in

0 Helpful

Flavio Miranda
VIP
VIP
In response to ddesai

‎08-04-2023 02:51 PM - edited ‎08-04-2023 02:52 PM

The access list must be

ip access-list extended 105

 110 deny tcp <publicip>  host <switch ip> eq 22

120 permit ip any any

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-04-2023 03:30 PM

"How can i block SSH through access list?"

Not sure you can.  Maybe with NBAR.(?)  Also, blocking SSH might implicitly block SCP too.

However, later you write:

"I want to block from outside network SSH and ICMP and SFTP and SNMP."

That's possible.

You then write:

"I want to allow only one public and one LAN ip address to access from internet.:

Can we allow only two ip and rest of deny ?"

LAN IP access from Internet???  

However, the answer to those two questions is likely yes too.

You have another posting with:

"Can we use instead of line VTY 04-line VTY 0 3"

It would be helpful if you could precisely define what exactly you want to accomplish.

BTW, for devices directly reachable from the Internet, it's a relatively good practice to block ALL outside traffic to the device, itself (don't confuse this with transit traffic - although "filtering" transit traffic might be done too), and only allow very specific access.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎08-04-2023 06:49 PM 

conf t
 line vty 0 90
 transport input telnet
end
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card