Thursday, September 20, 2018

How do I limit management access to only the management interface (Cat 9K & IOS-XE 16)

Has anyone solved this issue? We are deploying Catalyst 9000 switches and are trying to keep people from being able to SSH to any SVI or IP on the switches. We want this to go to the dedicated management interface only since this will be a separate, firewalled network. Sounds pretty reasonable, right? :)

Extended ACLs with destination networks are still unsupported on IOS-XE 16 for the access-class statements. The control-plane-host & management-interface statements in control plane policing are also unsupported.

This may be more of a warning that IOS-XE Fuji, etc. do not support all the features that previous versions did. I have a TAC case open but so far they've only offered solutions that don't work or are not supported on this version.



No comments:

Post a Comment