Extreme Networks

Nick_Stovall · ‎12-08-2017

By default, enabling SSH enables you to SSH into a switch via any L3 interface on that switch. I'd like to limit access to only one specific IP address on this switch (x670).

The "configure ssh2 access-profile" command is gimped in that it only accepts "source-address" as a match condition in its ACL.

Is my only option here to create an ACL that blocks ssh to each IP address on the switch explicitly, then apply that to each VLAN interface?

Erik_Auerswald · ‎12-09-2017

Hi Nick,

you might be able to use a separate virtual router for the management IP, and then restrict SSH (and other management protocols) to use only that virtual router.

Another possiblity is to bind an ACL (e.g. a .pol file) to any port&VLAN, and deny SSH traffic to all IP interfaces configured on the layer 3 switch except the one you want to use for SSH access.

Thanks,
Erik

Nick_Stovall · ‎12-09-2017

Thanks! This is what I was looking for.

krengele · a week ago

How did you do this exactly? Did you have separate entries for each interface you wanted to block?
Does anyone know if we can we use logical OR's in ACL entries? Like this:

entry deny_ssh2interfaces {

if match all {

source-address 10.0.0.0/8;

destination-address 10.99.17.17/32 || destination-address 10.99.17.33/32;

destination-port 22;

} then {

deny;

}

Ronald_Dvorak · ‎12-08-2017

If I unterstand it correctly the issue is if the switch has more then one IP (vlan interface) then ssh is allowed on all adresses.

Extreme Networks

Blocking SSH access to most layer 3 interfaces.

Blocking SSH access to most layer 3 interfaces.