Solved

SSH question

Posted on 2012-03-12
1
245 Views
Last Modified: 2012-03-13
I have a question about this scenerio:

CORESW------->REMOTE SITE ROUTER|-------->Access Switch1
                                                        |-------->Access Switch2
                                                        |-------->Access Switch3

So when doing SSH from CORESW, if I want to apply ssh only from CORESW, what needs to be done. To carify more, so that users can't do SSH direct to Access SW1,2 and 3. I know they have to SSH to CORESw first. But I don't want them to SSH from REMOTE SITE ROUTER or SSH from Access Switch1 to Access Switch2 or 3. All I want them to SSH to CORESW and then from there they can SSH to any devices.
Is this consired good practice or not?
0
Comment
Question by:tech1guy
1 Comment
 
LVL 10

Accepted Solution

by:
mat1458 earned 500 total points
Comment Utility
You would do that  by configuring a standard ip access list containing the ip address of the core switch (probably the ip ssh source-interface address) and then apply it as incoming access-class to the line vty 0 4 or line vty 0 15.

The question about good practice: Normally it's the network support people that need to log into a switch. They do that either for fun or when something is considered as broken in the network. By adding an additional hop everything takes longer without really adding more security. If you want to secure your switches use use access lists that cover the IP address range of your engineers/operators and set up a TACACS server with accounting and logging.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Defense in depth is one of the most important security principles that no one disagrees with, it simply states that IT security must be handled at different layers without neglecting any of them relying on other or others.  If I tried to clarify the…
There are some basic methods for preventing attacks on, hacking of and unauthorized access to a network -- maybe not completely, but up to a certain level. Start with a well-reputed firewall and unified threat management (UTM) system -- a gateway…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now