Policys .pol for Telnet/SSH/WEB access

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
Create Date: Apr 19 2012 7:41AM

I cannot seem to lock down my Extreme 450e stack.

I have created Mgmt.pol as per the below



entry Mgmt_allow {

if {

source-address 192.168.1.249/32;

source-address x.x.x.x/28;

source-address y.y.y.y/32;

} then {

permit;

}

}

entry Mgmt_deny {
if {
} then {
deny;
}
}



I have then

Slot-1 xxxx # check policy Mgmt
Policy file check successful.


then

configure telnet access-profile Mgmt



however I can still telnet to the device. Could I ask what I am doing wrong.





(from lee_byatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 19 2012 2:59PM

Since the telnet access rule can only recognize source-address modifier. Can you modify your policy to include the following in the Mgmt_deny and let me know if that works for you.

source-address 0.0.0.0/0;

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 19 2012 3:01PM

Also try using counters and see if the policy is being hit.

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 20 2012 1:27AM

Looks a bit complicated to me, try the form:


entry Mgmt_allow {
if match any {
source-address x.x.x.x/x;
source-address y.y.y.y/y;
} then {
permit;
}
}


By the way, this is fine for SSH/telnet but doesn't work for web access control - you can't use a policy file for that you have to enter it on the CLI as an access list. I have moaned about this many times but they haven't fixed it yet.

(from David_Rickard)

This conversation is no longer open for comments or replies.