Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nexus 7010 - How to block SSH access on SVI interfaces

I use Nexus 7010 as our layer 3 router.

I have ssh feature turned on so I can manage it from the management interface.

I just found out that users can use putty to ssh to the local SVI interface of the NEXUS. Although they still need username and password to login but we dont want them even able to bring up the welcome screen.

Example, user's IP is : 172.16.25.100 , they can ssh to 172.16.25.1 which is the NX SVI interface

How to block that?

Please advise.

Thank you.

  • LAN Switching and Routing
1 REPLY
Cisco Employee

Re: Nexus 7010 - How to block SSH access on SVI interfaces

Hi Khoa,

You should apply an access class to the VTY port to restrict SSH and Telnet access by specific source and destination  IP addresses.

In your case you can put a deny statement first for IP of the user and then permit everything else as 2nd line of ACL.

n7000(config)# ip access-list vty-acl-in

n7000(config-acl)# deny tcp host 172.16.25.100 any eq 22
n7000(config-acl)# permit ip any any

n7000(config)# line vty

n7000(config-line)# ip access-class vty-acl-in in

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards, Ivan Shirshin **Please grade this post if you find it useful.
1775
Views
0
Helpful
1
Replies