Home / server / Questions / 450921
In Process
chris
Asked: 2012-11-22 08:14:59 +0800 CST

Cisco IOS router config -- how to disable SSH / SNMP on all but loopback address?

  • 772

Sorry for the naive question; a quick reading of the cisco docs doesn't answer this question...

So I've got a router (say for the sake of argument a 4500 running IOS 15.x)

It has interfaces in 3 different subnets -- 10.0.0.1/24, 10.0.1.1/24, and 10.0.2.1/24 It also has a loopback address of 172.16.0.33

How do I make it so that SSH / SNMP and other administrative traffic works on the 172 address but doesn't work on the IP addresses I wish to only use for L3 forwarding?

Ideally this can be done by disabling the control plane access to these interfaces not just by using an ACL, but whatever, I don't actually care that much as long as it works...

Thanks!

cisco

2 Answers

  1. You can't disable the daemon on a interface. ACL are the way to go. Filtering should be done on the source address, not destination.

    Config example:

    line vty 0 4
 access-class secure_vty in
 ipv6 access-class secure6_vty in


ip access-list standard secure_vty
 permit 172.16.10.0 0.0.0.255
 deny any

ipv6 access-list secure6_vty
 deny ipv6 any any

    In this config, 172.16.10.0/24 is your management network where you have your NMS, and you have no ipv6 on the NMS but there is some on the switch, so it has to protected.

    Be sure also to disable sshv1 which is enabled by default :

    Router(config)# ip ssh version 2
    • 3

  2. Control Plane Policing would be the cleanest implementation

    First, create an ACL that MATCHES traffic which you will ultimately drop

    ip access-list extended DROP
 permit tcp any host 10.0.0.1 eq 22
 permit tcp any host 10.0.1.1 eq 22
 permit tcp any host 10.0.2.1 eq 22
 permit udp any host 10.0.0.1 eq snmp
 permit udp any host 10.0.1.1 eq snmp
 permit udp any host 10.0.2.1 eq snmp

    Next, create a class-map that matches the ACL you created above:

    class-map SNMP_AND_SSH_TO_NON_LOOPBACK
 match access-group name DROP

    Next, create a policy-map with action DROP on the desired traffic

    policy-map CONTROL_PLANE_POLICING
 class SNMP_AND_SSH_TO_NON_LOOPBACK
  drop

    Finally, apply the Control plane policing to your control plane

    control-plane
 service-policy input CONTROL_PLANE_POLICING

    Any traffic destined for the control plane which does NOT match your access list will PASS (this includes SNMP and SSH traffic destined for the Loopback address)

    • 3