Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSH Access On Specific IP

Hi,

I have configured 10 interface vlan on my cisco core switch 6509.

However I want my users SSH it on management IP only. SSH access on other IP (defined for each interface vlan) should be blocked by switch.

Kindly suggest how to configure this.

Thanks in advance.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

The easiest way to achieve

The easiest way to achieve that is to bind an access-list to your vty-line. This access-list is normally a standard-ACL, but this time you use an extended ACL that uses your management-IP as the destination:

EDIT: No, that doesn't work as proposed! Please see the other posts.

ip access-list extended MGMT-TRAFFIC

  permit tcp SOURCE-NET host 10.10.10.10 eq 22

line vty 0 4

  access-class MGMT-TRAFFIC in

 

In this example SOURCE-NET is the IP-Network where your management-traffic comes from and 10.10.10.10 is the management-IP on your device.

5 REPLIES
VIP Purple

The easiest way to achieve

The easiest way to achieve that is to bind an access-list to your vty-line. This access-list is normally a standard-ACL, but this time you use an extended ACL that uses your management-IP as the destination:

EDIT: No, that doesn't work as proposed! Please see the other posts.

ip access-list extended MGMT-TRAFFIC

  permit tcp SOURCE-NET host 10.10.10.10 eq 22

line vty 0 4

  access-class MGMT-TRAFFIC in

 

In this example SOURCE-NET is the IP-Network where your management-traffic comes from and 10.10.10.10 is the management-IP on your device.

Community Member

Thanks Karsten...for the

Thanks Karsten...for the reply....it is a great help....

Community Member

Karsten, have you tried this

Karsten, have you tried this before?

I'm having this problem all the time and  i think it's not working. I think i read this years ago that you can't use the destination part of an extended acl in your line vty context. I have just tried this and it not working for me. I can't access vty anymore (on 3750-x with ios 15.0).

I tried this acl to find out why:

ip access-list extended MGMT-TRAFFIC

  permit tcp any host 10.10.10.10 eq 22 log

  permit tcp any any eq 22 log

When i try to ssh in to 10.10.10.10 it works ONLY when there is "permit tcp any any". You can see the the acl counter rising on this "any" ace and you can see a log entry which is saying there is a packet to 0.0.0.0:23 (instead of expected 10.10.10.10:23). So the first ace did not fire. The question is why?

 

So my question, can you confirm this definitly works like you described and i'm doing something wrong?

 

Best regards, Uwe

VIP Purple

I just wanted to answer "yes,

I just wanted to answer "yes, I used that before", but then while thinking about it I imagined: "no, not exactly that way".

I used extended access-list in access-classes for limiting access to port 22 when SSH was running on a different port, but in all these cases the destination was "any". So I tried it again with an IP-destination and you were right. When the destination is not "any", then the ACE doesn't match any more.

So lets find a different way to achieve that. Next to mind comes Control-plane protection:

ip access-list extended SSH-ALLOWED
 permit tcp any host 10.255.192.225 eq 22
ip access-list extended SSH-DENIED
 permit tcp any any eq 22
!
class-map match-all SSH-ALLOWED
 match access-group name SSH-ALLOWED
class-map match-all SSH-DENIED
 match access-group name SSH-DENIED
!
policy-map HOST
 class SSH-ALLOWED
 class SSH-DENIED
  drop
!
control-plane host
 service-policy input HOST

With that SSH to the IP 10.255.192.225 works while SSH to the other addresses doesn't work any more:

c2801#sh policy-map control-plane host
 Control Plane Host

  Service-policy input: HOST

    Class-map: SSH-ALLOWED (match-all)
      577 packets, 47031 bytes
      5 minute offered rate 2000 bps
      Match: access-group name SSH-ALLOWED

    Class-map: SSH-DENIED (match-all)
      8 packets, 608 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name SSH-DENIED
      drop

    Class-map: class-default (match-any)
      26 packets, 2979 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Well, this is a router, and I think it's not supported that way on the Catalyst. But at least control-plane policing should work (on the 6k5, the smaller Catalysts are a different story). At the moment I don't have a Catalyst to play with, but what would be different:

  1. The policy-map is applied to the "control-plane" instead of the "control-plane host"
  2. When the "drop" action is not available, then the policer should instead drop conforming traffic
  3. It's harder to make sure that you don't police traffic that should just flow through 

Here are some links on CoPP:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/control_plane_policing_copp.html

Depending on device specify a

Depending on device specify a management interface and the management protocol that should have access to the management along with the proper ACLs.
-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
775
Views
0
Helpful
5
Replies
CreatePlease to create content