One of the more important hardening items for switches is restricting management access with an ACL. In a true zero-trust environment, a fully air-gapped network may exist for switch management. And while full AAA should also be implemented, adding an ACL for the users and systems that should be allowed to interact with a switch is equally important.
Create the ACL
The following access control list will only permit access to the management IP of the switch (10.0.0.1) from the authorized service network (10.10.50.0/24), and an authorized host (10.10.60.17).
ip access-list sshmanage-acl
10 remark allow ssh from certain IP/networks only
101 permit tcp 10.10.50.0/24 host 10.0.0.1 eq 22
111 permit tcp host 10.10.60.17 host 10.0.0.1 eq 22
999 deny ip any any
Explanation
- line 10: this is just a remark/note defining the specific access-list
- line 101: this allows our service network to reach the switch on tcp/22
- line 111: this allows our authorized host to reach the switch on tcp/22
- line 999: this ensures a full deny for any other host, protocol, and/or port
Implement the ACL
Now that the ACL exists in the configuration, we’ll need to apply it to management over SSH
management ssh
ip access-group sshmanage-acl in
Explanation
We’re telling the switch to use the previously-created ACL (sshmanage-acl) as an inbound access-group for SSH access to the switch.