ACL policy to restrict telnet is not working as desirable

  • 0
  • 1
  • Question
  • Updated 6 months ago
  • Answered
I'm new using extreme switches. I have configured the following ACL policy to allow only the networks listed in the policy to connect by telnet to the switch model X480-24X, running ExtremeXOS version 15.6.4.2, however only the host with IP address 200.20.76.42 is connecting the others are being rejected.
Has anyone ever faced this problem?


Entry AllowTheseSubnets {
if match any{
source-address 200.20.76.42 /32;
source-address 187.111.111.5 /32;
source-address 200.20.66.176 /27;
}
then
{
permit ;
}
}

Tks in advance
Photo of Francisco Leitão

Francisco Leitão

  • 94 Points 75 badge 2x thumb

Posted 6 months ago

  • 0
  • 1
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
Make one entry per source address. 

Entry AllowTheseSubnets1 {
if match any{
source-address 200.20.76.42 /32;
}
then{
permit ;
}}

Entry AllowTheseSubnets2 {
if match any{
source-address 187.111.111.5 /32;
}
then{
permit ;
}}

Entry AllowTheseSubnets3 {
if match any{
source-address 200.20.66.176 /27;
}
then{
permit ;
}}

(Edited)
Photo of Joe Sheldon.

Joe Sheldon.

  • 144 Points 100 badge 2x thumb
The policy I use without issue is similar to:

Switch1.4 # sh policy telnet
Policies at Policy Server:
Policy: telnet
entry telnet {
if match any {
    source-address 12.34.56.78/32 ;
    source-address 12.34.56.79/32 ;
    source-address 12.34.56.80/32 ;
    source-address 12.34.56.81/32 ;
    source-address 12.34.56.82/32 ;
    source-address 12.34.54.0/24 ;
    source-address 12.34.55.0/24 ;
}
then {
    permit  ;
}
}
Photo of Francisco Leitão

Francisco Leitão

  • 94 Points 75 badge 2x thumb
Hi Stephen,

First of all thanks for your attention,

I have configured the ACL as you suggested, even so, It's not working. Following you can see the message in the log informing the connection has been rejected.

SW-IPLAN.5 # show log
05/03/2018 15:21:28.59 <Warn:telnetd.RejctConnAccessDeny> Telnet connection from source 187.111.111.5 has been denied by access-list IplanAcesso. Rejecting connection.

Tks!
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
did you refresh the policy?
Photo of Francisco Leitão

Francisco Leitão

  • 94 Points 75 badge 2x thumb
I hadn't done that! To be honest I had no idea this command was required when you change an ACL. After issuing the refresh command the ACL worked fine!

As I had told I am new in Extreme switches.

Tks!
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
No problem, we are here to help.  Welcome by the way.