We can disable ssh to any host which is connected to specific switch port by applying below access list Note that subnet mask used in switch access-list configuration are opposite of normal netmasks configured in usual firewalls and interfacesĭisabling connections to/from hosts connected to specific ports Sample extended access-list configuration in which we have allowed only some specific IPs and some specific subnets to access switch.Īccess-list 100 permit ip host 10.1.67.15 anyĪccess-list 100 permit ip host 10.1.67.2 anyĪccess-list 100 permit ip host 10.3.3.51 anyĪccess-list 100 permit ip host 192.168.36.177 anyĪccess-list 100 permit ip 172.16.30.0 0.0.0.255 anyĪccess-list 100 permit ip 10.4.4.0 0.0.0.255 any
Then we have to use extended access lists. In case access configuration based on networks, that is using subnet mask needs to be done then standard access lists are not enough.
To configure basic access control on switches (like Cisco 3750) we can create access list of IPs which are allowed to connect to switch and then apply that access list to vty lines. Home > Switch configuration notes > Configuring basic Access Control List (ACL) on Cisco switches Configuring basic access control list (ACL) on Cisco switches Limiting access to vty lines based on source IP with access list