Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5585
Views
0
Helpful
3
Replies

Disable SSH Access on SVI's (Vlan Interfaces)

Saurabh Kishore
Level 1
Level 1

‎07-08-2014 01:08 AM - edited ‎03-07-2019 07:58 PM

Hi All,

 

We are using Nexus switches and also other access layer switches on which multiple Layer 3 interfaces (SVI's) have been configured.

My Objective is to Disable SSH Access on Layer 3 SVI's and only use the mgmt 0 port on Nexus for SSH access.

Can someone help me in obtaining this.

 

For Eg.

If there is a Vlan 108 configured

interface Vlan108
  no shutdown
  vrf member ***
  no ip redirects
  ip address 192.168.108.Y/22
  hsrp 108
    preempt delay reload 108
    priority 150
    ip 192.168.108.x

Then anyone can access can do an ssh on 108.x or 108.Y

What I need is to restric it only to the mgmt 0 interface

interface mgmt0
  ip address 192.168.127.x/24

Labels:
0 Helpful
3 Replies 3

Ton V Engelen
Level 3
Level 3

‎07-08-2014 01:32 AM

Hi

i was just working on this with a N5548

 

Allow ssh:

ip access-list VTY-ACCESS

permit tcp <subnet or host ip> any eq 22

line vty

  access-class VTY-ACCESS in

 

or if you want to allow a subnet or host :

ip access-list VTY-ACCESS

permit ip <subnet or host ip>

line vty

access-class VTY-ACCESS in


 

0 Helpful

Saurabh Kishore
Level 1
Level 1
In response to Ton V Engelen

‎07-08-2014 01:38 AM

Yes, I know this works if I want to restrict on source IP/Subnet basis

But my requirement is different:

What I did earlier to try was to create an access-l

 

Ip access-l ext 100

permit tcp any host x.x.x.x (management Interface) eq 22

deny tcp any any eq 22

 

line vty

ip access-c 100

 

But that did not work.

Infact it blocked ssh on the entire switch

 

So If I want to restrict on source basis this solution will be perfect and it works which I have tested.

But if I want anyone to ssh but only ssh on management interface or a particular svi is what I am trying to figure out

 

0 Helpful

amir.marashi
Level 1
Level 1

‎06-13-2016 02:32 PM

  1. Create an extended access list:

The specified hosts are the addresses of the SVIs you want to deny SSH access to:


ip access-list extended DENY_SSH

permit tcp any host 10.20.71.1 eq 22

permit tcp any host 10.20.73.1 eq 22

permit tcp any host 10.1.1.1 eq 22

permit tcp any host 10.1.200.1 eq 22

permit tcp any host 10.1.173.1 eq 22

 

  1. Create an VACL access-map in order to specify the needed actions:

vlan access-map DENY_SSH_ACCESS 10

match ip address DENY_SSH

action drop

 

valn access-map DENY_SSH_ACCESS 20

action forward

 

 

  1. Create vlan filter and specify which vlans the actions should be taken against:

 

valn filter DENY_SSH_ACCESS vlan-list 600,100,200,73,173

Lets say your Mgmt VLAN is VLAN 210 you don't need to specify this in the VLAN filter list nor the access-list and you should be able to SSH into your L3 switch only via VLAN 210.

Thanks,
Amir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card