Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disable SSH Access on SVI's (Vlan Interfaces)

Hi All,

 

We are using Nexus switches and also other access layer switches on which multiple Layer 3 interfaces (SVI's) have been configured.

My Objective is to Disable SSH Access on Layer 3 SVI's and only use the mgmt 0 port on Nexus for SSH access.

Can someone help me in obtaining this.

 

For Eg.

If there is a Vlan 108 configured

interface Vlan108
  no shutdown
  vrf member ***
  no ip redirects
  ip address 192.168.108.Y/22
  hsrp 108
    preempt delay reload 108
    priority 150
    ip 192.168.108.x

Then anyone can access can do an ssh on 108.x or 108.Y

What I need is to restric it only to the mgmt 0 interface

interface mgmt0
  ip address 192.168.127.x/24

Everyone's tags (5)
3 REPLIES

Hii was just working on this

Hi

i was just working on this with a N5548

 

Allow ssh:

ip access-list VTY-ACCESS

permit tcp <subnet or host ip> any eq 22

line vty

  access-class VTY-ACCESS in

 

or if you want to allow a subnet or host :

ip access-list VTY-ACCESS

permit ip <subnet or host ip>

line vty

access-class VTY-ACCESS in


 

New Member

Yes, I know this works if I

Yes, I know this works if I want to restrict on source IP/Subnet basis

But my requirement is different:

What I did earlier to try was to create an access-l

 

Ip access-l ext 100

permit tcp any host x.x.x.x (management Interface) eq 22

deny tcp any any eq 22

 

line vty

ip access-c 100

 

But that did not work.

Infact it blocked ssh on the entire switch

 

So If I want to restrict on source basis this solution will be perfect and it works which I have tested.

But if I want anyone to ssh but only ssh on management interface or a particular svi is what I am trying to figure out

 

New Member

Saurabh,

  1. Create an extended access list:

The specified hosts are the addresses of the SVIs you want to deny SSH access to:


ip access-list extended DENY_SSH

permit tcp any host 10.20.71.1 eq 22

permit tcp any host 10.20.73.1 eq 22

permit tcp any host 10.1.1.1 eq 22

permit tcp any host 10.1.200.1 eq 22

permit tcp any host 10.1.173.1 eq 22

 

  1. Create an VACL access-map in order to specify the needed actions:

vlan access-map DENY_SSH_ACCESS 10

match ip address DENY_SSH

action drop

 

valn access-map DENY_SSH_ACCESS 20

action forward

 

 

  1. Create vlan filter and specify which vlans the actions should be taken against:

 

valn filter DENY_SSH_ACCESS vlan-list 600,100,200,73,173

Lets say your Mgmt VLAN is VLAN 210 you don't need to specify this in the VLAN filter list nor the access-list and you should be able to SSH into your L3 switch only via VLAN 210.

Thanks,
Amir

1006
Views
0
Helpful
3
Replies