Yet another Brocade VDX post! This time on how to block SSH access on VE interfaces. Sounds pretty simple, but took some time to find out how to do it!

After some Cisco Catalyst to Brocade VDX configuration conversions, i was not able to block SSH access to the IP interfaces that existed on the Brocade VDX. Usually some of these options are available:

  1. SSH access-group (not supported)
  2. VTY lines configured with access-group and transport set to SSH
  3. VRF aware SSH daemon support (not supported), current Brocade NOS versions (>5.x) have mgmt-vrf capabilities. So you would think SSH could be limited to the mgmt-vrf, unfortunately not (yet).
  4.  ip access-list denying non-management networks to SSH

So i focused on solution 4, but couldn’t get it work. What i tried to use was the following configuration stanza, for this internet facing ve:

I was still able to SSH to the ip address configured on ve 100.

Apparently there is a Brocade style ACE action, named “hard-drop”. The hard-drop action denies traffic to the CPU of the VDX and also works for ‘transit traffic’.

The access-list INET-IN should be configured to:

Now the ACL is doing what it is supposed to do, dropping SSH access to the VDX VE interface from the big bad interwebz. Eventually pretty easy!