cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5501
Views
0
Helpful
7
Replies

SSH /Telnet Access Restriction

CSCO12094806
Level 1
Level 1

Dear All,

we are trying to restrict cisco 3650 (IOS: Denali 16.3.6) SSH /Telnet access to one vlan interface.

switch working as L3 and configured vlan interface are mentioned below.

 

VLAN 100- Data (Interface IP: 192.168.100.1/24)

VLAN 150- Server (Interface IP: 192.168.150.1/24)

VLAN 200- VOICE (Interface IP: 192.168.200.1/24)

VLAN 225- Management (Interface IP: 192.168.225.1/24)

 

we need to allow only SSH /Telnet access to Management Vlan interface (192.168.225.1) and all telnet /SSH access to remaining vlan interface should be restricted. (ie: users from any network able to ssh /telnet access to 192.168.225.1).

 

we are trying to restrict using access list assigned on line VTY mode but its blocking all Telnet /SSH access including to access to 192.168.225.1 ip.

we tried with following configuration:

1) Access List

Extended IP access list SW_REMOTE_ACCESS
10 permit tcp any host 192.168.225.1 eq telnet 22
20 deny ip any any

 

2) Assign Access List on Line VTY

line vty 0 4
exec-timeout 30 0
login local
transport input ssh telnet
transport output ssh telnet
access-class SW_REMOTE_ACCESS in
access-class SW_REMOTE_ACCESS out

 

7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Try this:

!
contol-plane host
  management-interface vlan255 allow ssh telnet
!
ip access-list 10 permit 192.168.255.0 255.255.255.0
ip access-list 10 deny any
!
line vty 0 4
  access-class 10 in
  transport input ssh telnet
!

Use MPP to limit what control traffic is permited and on which interface. Combine this with an ACL filtering on source IP and apply to the VTY lines.

 

cheers,

Seb.

https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html

 

Hi Seb, Thanks for the reference, unfortunately switch is not accepting MPP command (control-plane host).

Please find the attached screenshot.

 

Switch Model: WS-C3650-24TD

IOS Version: Denali (16.3.6).

 

expecting your valuable inputs.

My mistake, looks like MPP was dropped in the IOS-XE transition from 3.x to 16.x . In which case try the CPP implementation suggested by @paul driver

 

cheers,

Seb.

Hello

 

Try using CoPP to accomplish this.

access-list 100 permit tcp any host 192.168.100.1 eq telnet
access-list 100 permit tcp any host 192.168.100.1 eq 22
access-list 100 permit tcp any host 192.168.150.1 eq telnet
access-list 100 permit tcp any host 192.168.150.1 eq 22
access-list 100 permit tcp any host 192.168.200.1 eq telnet
access-list 100 permit tcp any host 192.168.200.1 eq 22


class-map match-any MGT_cm
match access-group 100

policy-map MGT_pm
 class MGT_cm
 drop
class class-default

control-plane
service-policy input MGT_pm


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

could you please help me to clarify on below.

 

1) based on earlier shared config sample

a> ACL 100 to match any source to allow Telnet /SSH to vlan interface (192.168.100.1 /192.168.150.1/192.168.200.1).

b> class-map match-any MGT_cm       //to match only ACL 100

     match access-group 100

 

c> policy-map MGT_pm

    class MGT_cm
     drop
     class class-default

         // this policy-map will match earlier defined class-map (MGT_cm),

but on next two lines which purpose will mention following command (drop, class class-default)

 

c> Then 

    control-plane
    service-policy input MGT_pm      //on control plane obove defined policy-map (MGT_pm) is defined.

 

So my understanding whatever the request is matched on ACL will allow Telnet or SSH access all other control plane access will be rejected including (SNMP, HTTP, HTTPS ) 

 

Hi Paul Driver, could you please help me to clarify my earlier query (Dtd 16 Aug 2018).

also switch currently having a default control-plane Policy (running config commands are attached).

we can add policy-map (MGT_pm) to default policy-map (system-cpp-policy).

 

 

hi paul driver,

 

we are tried to configure the policy based on your earlier post, but unable to configure CCP policy (switch doesn't accept new policy, because switch already have one default policy which configured on factory default status, unable to delete the default policy also).

A: new configured policy to restric Telnet /SSH to allow only to 192.168.100.1  (also refer on Attachment No: 01)

 

access-list 150 permit ip any host 192.168.100.1
access-list 150 permit tcp any host 192.168.100.1 eq telnet
access-list 150 permit tcp any host 192.168.100.1 eq 22
access-list 150 deny ip any any

 

class-map match-any MGMT_CM
match access-group 150

 

policy-map MGMT_PM
class MGMT_CM
drop
class class-default

 

SW(config)#control-plane
SW(config-cp)#service-policy input MGMT_PM //command rejected with message " Policy map system-cpp-policy is already attached"

 

A.1:  When we try to add above configured class map to default policy-map (system-cpp-policy) getting error message

 

SW(config)#policy-map system-cpp-policy
SW(config-pmap)#class MGMT_CM
Error: MGMT_CM is not a valid class in system-cpp-policy policy : Class rejected
% class MGMT_CM of type default is not allowed in policy-map system-cpp-policy of type default.

 

Default cpp policy details are mentioned on attachment no: 02.

 

Kindly help me to solve /achieve our requirement.