Blocking SSH access to most layer 3 interfaces.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-08-2017 05:30 PM
By default, enabling SSH enables you to SSH into a switch via any L3 interface on that switch. I'd like to limit access to only one specific IP address on this switch (x670).
The "configure ssh2 access-profile" command is gimped in that it only accepts "source-address" as a match condition in its ACL.
Is my only option here to create an ACL that blocks ssh to each IP address on the switch explicitly, then apply that to each VLAN interface?
The "configure ssh2 access-profile" command is gimped in that it only accepts "source-address" as a match condition in its ACL.
Is my only option here to create an ACL that blocks ssh to each IP address on the switch explicitly, then apply that to each VLAN interface?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-09-2017 04:51 PM
Hi Nick,
you might be able to use a separate virtual router for the management IP, and then restrict SSH (and other management protocols) to use only that virtual router.
Another possiblity is to bind an ACL (e.g. a .pol file) to any port&VLAN, and deny SSH traffic to all IP interfaces configured on the layer 3 switch except the one you want to use for SSH access.
Thanks,
Erik
you might be able to use a separate virtual router for the management IP, and then restrict SSH (and other management protocols) to use only that virtual router.
Another possiblity is to bind an ACL (e.g. a .pol file) to any port&VLAN, and deny SSH traffic to all IP interfaces configured on the layer 3 switch except the one you want to use for SSH access.
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-09-2017 04:51 PM
Thanks! This is what I was looking for.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-08-2017 05:36 PM
If I unterstand it correctly the issue is if the switch has more then one IP (vlan interface) then ssh is allowed on all adresses.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-08-2017 05:34 PM
Nick,
I am not sure I understand your request. It sounds like you want to only allow a switch to SSH into other switches? Regardless the access profile being configured on EVERY switch in the network should only allow the IP-address you put into the ACL.
I am not sure I understand your request. It sounds like you want to only allow a switch to SSH into other switches? Regardless the access profile being configured on EVERY switch in the network should only allow the IP-address you put into the ACL.
