Re: 4500-Sup7; SSH and admin VRF only

Surya ARBY · ‎07-03-2012

Hello all.

I may be blind but I've not seen this topic in the documentation; I refer to "Catalyst 4500 Series Switch Software Configuration Guide, Release IOS XE 3.3.0SG and IOS 15.1(1)SG"

The Sup7 has a dedicated FastEthernet port which is automatically put into a vrf named "mgmtvrf".

What I want to do is to permit inbound ssh only on this interface (vrf) and not on any other IP owned by the switch...

How can I do that ? By default any feature enabled on the switch is bound to all IP addresses defined in the switch belonging to all vrf...

Technically I want the ssh process to listen only in the admin vrf.

Surya ARBY · ‎07-23-2012

Finally; I couldn't find the way to implement Management Plane Protection in the parser; the following commands doesn't do the job :

control-plane host
management-interface Fa0/1 allow ssh telnet

the "control plane host" doesn't work and there is no "management-interface" subcommand into the "control plane" section.

Has anybody succeeded to implement MPP for the admin port of a SUP7-E in a 4500 ?

I'm running the last version : IOS 15.1 / IOS XE 3.3.0 SG

It seems that it's not documented in the configuration guide.

And the feature navigator seems to be clear : only supported in IOS XR and standard IOS for routers but not switches ??? Even with IOS XE / 15.1 train ?

nkarpysh · ‎07-23-2012

Hi Surya,

Answered here:

https://supportforums.cisco.com/message/3684157

Nik

HTH,
Niko