cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking SSH access to most layer 3 interfaces.

Blocking SSH access to most layer 3 interfaces.

Nick_Stovall
New Contributor
By default, enabling SSH enables you to SSH into a switch via any L3 interface on that switch. I'd like to limit access to only one specific IP address on this switch (x670).

The "configure ssh2 access-profile" command is gimped in that it only accepts "source-address" as a match condition in its ACL.

Is my only option here to create an ACL that blocks ssh to each IP address on the switch explicitly, then apply that to each VLAN interface?

4 REPLIES 4

Erik_Auerswald
Contributor II
Hi Nick,

you might be able to use a separate virtual router for the management IP, and then restrict SSH (and other management protocols) to use only that virtual router.

Another possiblity is to bind an ACL (e.g. a .pol file) to any port&VLAN, and deny SSH traffic to all IP interfaces configured on the layer 3 switch except the one you want to use for SSH access.

Thanks,
Erik

Thanks! This is what I was looking for.

Ronald_Dvorak
Honored Contributor
If I unterstand it correctly the issue is if the switch has more then one IP (vlan interface) then ssh is allowed on all adresses.

Patrick_Voss
Extreme Employee
Nick,

I am not sure I understand your request. It sounds like you want to only allow a switch to SSH into other switches? Regardless the access profile being configured on EVERY switch in the network should only allow the IP-address you put into the ACL.
GTM-P2G8KFN