How i can enable access list using only mac address to ssh login

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello 

i would like to enable access list using mac address of certain PC 

i am asking because i used the same code of access list using only ip address 

i used this code

entry AllowManagementIP {
    if match any {                            

        ethernet-source-address F8:A7:BC:E0:D1:AE; 

    }

    then {

        permit;

    }

}

and it didnt work still eny pc can login using ssh 
i did refresh policy cammand still the same problem
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
  • sad

Posted 1 year ago

  • 0
  • 1
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
Do you have any deny rule in there as well?
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
No i dont have , i think i dont need it because i used this code for ipaddress and it work fine 
if i have to have deny rule could you write for me the full cammand 
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
you could just try to use

else {
deny;
}

after your then expression
(Edited)
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
entry AllowManagementIP {
    if match any {                            

        ethernet-source-address F8:A7:BC:E0:D1:AE; 

    }

    then {

        permit;

    }
else {
deny;
}  
}

it gives me Error 
error policy has else clause , which can be used only in clear flow rules
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
OK. Try to add a deny all at the bottom of the policy
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
Myabe just a "deny;" would be enough. Didn't play with policy files for quite some time. ;-)
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
entry AllowManagementIP {
    if match any {                            

        ethernet-source-address F8:A7:BC:E0:D1:AE; 

    }

    then {

        permit;

    }
else {
deny all;
}  
}


 Error again: attribiute deny should not have any arguments , "all " is invalid
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
As I said. Leave the "all" away.
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
entry AllowManagementIP {
    if match any {                            

        ethernet-source-address F8:A7:BC:E0:D1:AE; 

    }

    then {

        permit;

    }

deny ;
}

Error again what should i do !!
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
There is one brace to much at the bottom
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
i pasted here wrong but in the cli it's correcct :)
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
entry DenyAllIngress{
if {
} then {
deny;
}
}
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
entry AllowManagementIP {
    if match any {                            

        ethernet-source-address F8:A7:BC:E0:D1:AE; 

    }

    then {

        permit;

    }

}
entry DenyAllIngress{
if {
} then {
deny;
}
}

still can login with other pc
(Edited)
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
Did you assign the policy to the ingress port?
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
i am using  it to ssh login

using this cammand 
 
config ssh2 access-profile ssh2-acl
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
Did you enable ssh2 to use the access-profile?
enable ssh2 access-profile ssh2-acl
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
yes and still can login with other pc
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
Hm....that's strange. You should log a case with GTAC and have them look into the switch. I am sure it is just a small thing that needs to be changed. They could have a remote session with you and figure it out.
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
my switches are X250e-48pt i update the firmware from 12.5.4.5 to 15.3.5.2 and i install ssh moudel to install ssh  is it related  or something

and thanks for help 

Best
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
Hi,

is the PC in the same subnet as the switch? Otherwise the connection will be across a router (or layer 3 switch) and the MAC address seen at the switch you want to log into is the router's MAC address.

Anyway, I am not sure that if you can use a MAC address match for the SSH access profile. The command reference says:
Match conditions:
  • Source-address—IPv4 and IPv6
  • Actions—Permit or Deny
The GTAC Knowledge articles pertaining to an SSH access profile mention IP addresses only as well:
Thanks,
Erik
Photo of Adnan

Adnan

  • 242 Points 100 badge 2x thumb
The pc and vlan have the same subnet