topic Blocking SSH access to most layer 3 interfaces. in ExtremeSwitching (EXOS/Switch Engine)

Blocking SSH access to most layer 3 interfaces.

Nick_Stovall — Sat, 09 Dec 2017 01:30:00 GMT

By default, enabling SSH enables you to SSH into a switch via any L3 interface on that switch. I'd like to limit access to only one specific IP address on this switch (x670).

The "configure ssh2 access-profile" command is gimped in that it only accepts "source-address" as a match condition in its ACL.

Is my only option here to create an ACL that blocks ssh to each IP address on the switch explicitly, then apply that to each VLAN interface?

RE: Blocking SSH access to most layer 3 interfaces.

Patrick_Voss — Sat, 09 Dec 2017 01:34:00 GMT

Nick,

I am not sure I understand your request. It sounds like you want to only allow a switch to SSH into other switches? Regardless the access profile being configured on EVERY switch in the network should only allow the IP-address you put into the ACL.

RE: Blocking SSH access to most layer 3 interfaces.

Ronald_Dvorak — Sat, 09 Dec 2017 01:36:00 GMT

If I unterstand it correctly the issue is if the switch has more then one IP (vlan interface) then ssh is allowed on all adresses.

RE: Blocking SSH access to most layer 3 interfaces.

Erik_Auerswald — Sun, 10 Dec 2017 00:51:00 GMT

Hi Nick,

you might be able to use a separate virtual router for the management IP, and then restrict SSH (and other management protocols) to use only that virtual router.

Another possiblity is to bind an ACL (e.g. a .pol file) to any port&VLAN, and deny SSH traffic to all IP interfaces configured on the layer 3 switch except the one you want to use for SSH access.

Thanks,
Erik

RE: Blocking SSH access to most layer 3 interfaces.

Nick_Stovall — Sun, 10 Dec 2017 00:51:00 GMT

Thanks! This is what I was looking for.

Re: RE: Blocking SSH access to most layer 3 interfaces.

krengele — Mon, 07 Apr 2025 23:45:52 GMT

How did you do this exactly? Did you have separate entries for each interface you wanted to block?
Does anyone know if we can we use logical OR's in ACL entries? Like this:

entry deny_ssh2interfaces {

if match all {

source-address 10.0.0.0/8;

destination-address 10.99.17.17/32 || destination-address 10.99.17.33/32;

destination-port 22;

} then {

deny;

}