ExtremeSwitching (Other)

Expand all | Collapse all

How i can enable access list using only mac address to ssh login

Anonymous Member

Anonymous Member07-17-2017 04:03

Anonymous Member

Anonymous Member07-17-2017 05:55

Anonymous Member

Anonymous Member07-17-2017 06:09

Anonymous Member

Anonymous Member07-17-2017 06:15

Anonymous Member

Anonymous Member07-17-2017 06:23

  • 1.  How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 03:07
    Hello

    i would like to enable access list using mac address of certain PC

    i am asking because i used the same code of access list using only ip address

    i used this code

    entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } } and it didnt work still eny pc can login using ssh i did refresh policy cammand still the same problem[/code]


  • 2.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 04:03
    Do you have any deny rule in there as well?


  • 3.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 04:16
    No i dont have , i think i dont need it because i used this code for ipaddress and it work fine
    if i have to have deny rule could you write for me the full cammand


  • 4.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 04:34
    you could just try to use

    else {
    deny;
    }

    after your then expression


  • 5.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 05:03
    entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } else {
    deny;
    } [/code]}

    it gives me Error
    error policy has else clause , which can be used only in clear flow rules


  • 6.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 05:16
    OK. Try to add a deny all at the bottom of the policy


  • 7.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 05:17
    Myabe just a "deny;" would be enough. Didn't play with policy files for quite some time. ;-)



  • 8.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 05:21


    entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } else {
    deny all;
    } [/code]}

    Error again: attribiute deny should not have any arguments , "all " is invalid


  • 9.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 05:55
    As I said. Leave the "all" away.


  • 10.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 06:03
    entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; }
    deny ;
    } [/code]}

    Error again what should i do !!


  • 11.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 06:09
    There is one brace to much at the bottom


  • 12.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 06:12
    i pasted here wrong but in the cli it's correcct :)



  • 13.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 06:15
    entry DenyAllIngress{
    if {
    } then {
    deny;
    }
    }



  • 14.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 06:21
    entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } }[/code]entry DenyAllIngress{
    if {
    } then {
    deny;
    }
    }

    still can login with other pc


  • 15.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 06:23
    Did you assign the policy to the ingress port?



  • 16.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 06:26
    i am using it to ssh login

    using this cammand

    config ssh2 access-profile ssh2-acl


  • 17.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 06:30
    Did you enable ssh2 to use the access-profile?
    enable ssh2 access-profile ssh2-acl



  • 18.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 06:33
    yes and still can login with other pc


  • 19.  RE: How i can enable access list using only mac address to ssh login

    This message was posted by a user wishing to remain anonymous
    Posted 07-17-2017 06:36
    Hm....that's strange. You should log a case with GTAC and have them look into the switch. I am sure it is just a small thing that needs to be changed. They could have a remote session with you and figure it out.


  • 20.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-17-2017 07:02
    my switches are X250e-48pt i update the firmware from 12.5.4.5 to 15.3.5.2 and i install ssh moudel to install ssh is it related or something

    and thanks for help

    Best


  • 21.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-18-2017 05:16
    Hi,

    is the PC in the same subnet as the switch? Otherwise the connection will be across a router (or layer 3 switch) and the MAC address seen at the switch you want to log into is the router's MAC address.

    Anyway, I am not sure that if you can use a MAC address match for the SSH access profile. The command reference says:
    Match conditions:
    • Source-address—IPv4 and IPv6
    • Actions—Permit or Deny
    The GTAC Knowledge articles pertaining to an SSH access profile mention IP addresses only as well:
    Thanks,
    Erik


  • 22.  RE: How i can enable access list using only mac address to ssh login

    Posted 07-23-2017 17:59
    The pc and vlan have the same subnet