Network zones with access profiles?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
I am attempting to convert telnet/ssh access-profiles from dynamic acls to a static acl with network zones, but when I switch telnet to use this acl, it refuses connections that should be allowed.

Experimenting, it appears that access-profiles don't work with network zones; when I replace the source-zone with the corresponding source-address directives, it works.

X460-24t 16.1.3.6

With network zone (example simplified, the real one contains multiple networks and addresses):
configure access-list network-zone trusted-networks add ipaddress x.x.x.145 255.255.255.255

entry permit-trusted-networks {
  if match any {
    source-zone trusted-networks;
  } then {
    permit;
  }
}

Connection refused
With source-address:
entry permit-trusted-networks {
  if match any {
    source-address x.x.x.145/32;
  } then {
    permit;
  }
}

telnet session telnet4 on /dev/ptyb4

Unauthorized access prohibited!

login: Login timed out!
Photo of Dave Martin

Dave Martin

  • 180 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,514 Points 5k badge 2x thumb
Hi Dave,

Welcome to the Hub....

I could see this limitation for SSH access profile, i believe this could be applicable for telnet access profile as well.    
 "Only source-address match is supported"

you can take a look at this article for more help on the same.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access
Photo of Dave Martin

Dave Martin

  • 180 Points 100 badge 2x thumb
This is unfortunate. I also discovered I can't use the same policy file with telnet/ssh/snmp and with ingress/egress (which is what led me to use network-zones in the first place), so I'll have multiple places to update if the address list changes, instead of just one.