Cisco IOS router config — how to disable SSH / SNMP on all but loopback address

access-control-listciscoios

Sorry for the naive question; a quick reading of the cisco docs doesn't answer this question…

So I've got a router (say for the sake of argument a 4500 running IOS 15.x)

It has interfaces in 3 different subnets — 10.0.0.1/24, 10.0.1.1/24, and 10.0.2.1/24
It also has a loopback address of 172.16.0.33

How do I make it so that SSH / SNMP and other administrative traffic works on the 172 address but doesn't work on the IP addresses I wish to only use for L3 forwarding?

Ideally this can be done by disabling the control plane access to these interfaces not just by using an ACL, but whatever, I don't actually care that much as long as it works…

Thanks!

Best Answer

You can't disable the daemon on a interface. ACL are the way to go. Filtering should be done on the source address, not destination.

Config example:

line vty 0 4
 access-class secure_vty in
 ipv6 access-class secure6_vty in


ip access-list standard secure_vty
 permit 172.16.10.0 0.0.0.255
 deny any

ipv6 access-list secure6_vty
 deny ipv6 any any

In this config, 172.16.10.0/24 is your management network where you have your NMS, and you have no ipv6 on the NMS but there is some on the switch, so it has to protected.

Be sure also to disable sshv1 which is enabled by default :

Router(config)# ip ssh version 2
Related Topic