Solved

SSH question

Posted on 2012-03-12
1
249 Views
Last Modified: 2012-03-13
I have a question about this scenerio:

CORESW------->REMOTE SITE ROUTER|-------->Access Switch1
                                                        |-------->Access Switch2
                                                        |-------->Access Switch3

So when doing SSH from CORESW, if I want to apply ssh only from CORESW, what needs to be done. To carify more, so that users can't do SSH direct to Access SW1,2 and 3. I know they have to SSH to CORESw first. But I don't want them to SSH from REMOTE SITE ROUTER or SSH from Access Switch1 to Access Switch2 or 3. All I want them to SSH to CORESW and then from there they can SSH to any devices.
Is this consired good practice or not?
0
Comment
Question by:tech1guy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 10

Accepted Solution

by:
mat1458 earned 500 total points
ID: 37713163
You would do that  by configuring a standard ip access list containing the ip address of the core switch (probably the ip ssh source-interface address) and then apply it as incoming access-class to the line vty 0 4 or line vty 0 15.

The question about good practice: Normally it's the network support people that need to log into a switch. They do that either for fun or when something is considered as broken in the network. By adding an additional hop everything takes longer without really adding more security. If you want to secure your switches use use access lists that cover the IP address range of your engineers/operators and set up a TACACS server with accounting and logging.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html) and i…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question