ExtremeSwitching (EXOS)

  • 1.  Policys .pol for Telnet/SSH/WEB access

    Posted 01-07-2014 21:52
    Create Date: Apr 19 2012 7:41AM

    I cannot seem to lock down my Extreme 450e stack.

    I have created Mgmt.pol as per the below



    entry Mgmt_allow {

    if {

    source-address 192.168.1.249/32;

    source-address x.x.x.x/28;

    source-address y.y.y.y/32;

    } then {

    permit;

    }

    }

    entry Mgmt_deny {
    if {
    } then {
    deny;
    }
    }



    I have then

    Slot-1 xxxx # check policy Mgmt
    Policy file check successful.


    then

    configure telnet access-profile Mgmt



    however I can still telnet to the device. Could I ask what I am doing wrong.





    (from lee_byatt)


  • 2.  RE: Policys .pol for Telnet/SSH/WEB access

    Posted 01-07-2014 21:52
    Create Date: Apr 19 2012 2:59PM

    Since the telnet access rule can only recognize source-address modifier. Can you modify your policy to include the following in the Mgmt_deny and let me know if that works for you.

    source-address 0.0.0.0/0;

    (from Arpit_Bhatt)


  • 3.  RE: Policys .pol for Telnet/SSH/WEB access

    Posted 01-07-2014 21:52
    Create Date: Apr 19 2012 3:01PM

    Also try using counters and see if the policy is being hit.

    (from Arpit_Bhatt)


  • 4.  RE: Policys .pol for Telnet/SSH/WEB access

    Posted 01-07-2014 21:52
    Create Date: Apr 20 2012 1:27AM

    Looks a bit complicated to me, try the form:

    entry Mgmt_allow {
    if match any {
    source-address x.x.x.x/x;
    source-address y.y.y.y/y;
    } then {
    permit;
    }
    }

    By the way, this is fine for SSH/telnet but doesn't work for web access control - you can't use a policy file for that you have to enter it on the CLI as an access list. I have moaned about this many times but they haven't fixed it yet. (from David_Rickard)