cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11071
Views
0
Helpful
3
Replies

SSH configuration on VTY Line

haidar_alm
Level 1
Level 1

Hello,

Just a quick question if you don't mind.

We've got our switches and routers configured for using SSH only to be accessed on the vty lines.

Here is an example:

ip access-list extended SSH_ACCESS

permit tcp 10.x.x.x 0.0.127.255 any eq 22

line vty 0 2

access-class SSH_ACCESS in

line vty 3 4

transport input none

line vty 5 15

transport input none

Based on this configuration I can see that on vty 0, 1, and 2 only devices using the 10.x.x.x with subnet range 0.0.125.255 can access using SSH, my question is about vty 3, 4, and then 5-15?

I can also see that the transport input command doesn't specify SSH, shouldn't it not say SSH if we only like SSH to access the switches/routers using these VTY lines? And also, should the access-class SSH_ACCESS in not be applied to the rest of the vty lines other than 0 2?

Many thanks,

H

3 Replies 3

manju.cisco
Level 3
Level 3

Hi,

Your vty lines 3 to 15 are not unusable since you have "transport input none" configured there, so no protocols will be allowed as incoming.

To re-use those vty lines you should give "transport input ssh" so that you can still have ssh access to the device on vty lines 3 to 15.

your access-list here is helping only to allow ssh connections from 10.x network, if you want ssh connections only from 10.x network then apply the access list on all vty lines. If any source can ssh then applying access-list is not required on vty lines.

Hope this helps.

Thanks

nikalleyne
Level 1
Level 1

Try this instead

!

line vty 0 2

access-class SSH_ACCESS in

---- Allow only incoming SSH and NO Telnet

transport input ssh

---- Since you have a preference for ssh you can also use

transport preferred ssh

---- If yo would also like to use the switch as a pivot point to get to other switches you can also use

transport output ssh telnet

line vty 3 4

access-class SSH_ACCESS in

---- Allow only incoming SSH and NO Telnet

transport input ssh

---- Since you have a preference for ssh you can also use

transport preferred ssh

---- If yo would also like to use the switch as a pivot point from these lines to get to other switches you can also use

transport output ssh telnet

line vty 5 15

transport input none

---- If yo would NOT like to use your switch as a pivot point from these lines

  transport output none

Hi haidar,

What previous posts said is right, you need allow the input ssh on the line vty to allow the ssh access. And then you can restrict the ssh access by defining the rules (SSH_ACCESS) you can permit only required subnets or hosts like blelow.


line vty 0 2
access-class SSH_ACCESS in
transport input ssh


Please rate the helpfull posts.
Regards,
Naidu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: