Header Only - DO NOT REMOVE - Extreme Networks

How i can enable access list using only mac address to ssh login


Hello

i would like to enable access list using mac address of certain PC

i am asking because i used the same code of access list using only ip address

i used this code

entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } } and it didnt work still eny pc can login using ssh i did refresh policy cammand still the same problem[/code]

21 replies

Userlevel 3
Do you have any deny rule in there as well?
No i dont have , i think i dont need it because i used this code for ipaddress and it work fine
if i have to have deny rule could you write for me the full cammand
Userlevel 3
you could just try to use

else {
deny;
}

after your then expression
entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } else {
deny;
} [/code]}

it gives me Error
error policy has else clause , which can be used only in clear flow rules
Userlevel 3
OK. Try to add a deny all at the bottom of the policy
Userlevel 3
Myabe just a "deny;" would be enough. Didn't play with policy files for quite some time. 😉
entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } else {
deny all;
} [/code]}

Error again: attribiute deny should not have any arguments , "all " is invalid
Userlevel 3
As I said. Leave the "all" away.
entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; }
deny ;
} [/code]}

Error again what should i do !!
Userlevel 3
There is one brace to much at the bottom
i pasted here wrong but in the cli it's correcct 🙂
Userlevel 3
entry DenyAllIngress{
if {
} then {
deny;
}
}
entry AllowManagementIP { if match any { ethernet-source-address F8:A7:BC:E0:D1:AE; } then { permit; } }[/code]entry DenyAllIngress{
if {
} then {
deny;
}
}

still can login with other pc
Userlevel 3
Did you assign the policy to the ingress port?
i am using it to ssh login

using this cammand

config ssh2 access-profile ssh2-acl
Userlevel 3
Did you enable ssh2 to use the access-profile?
enable ssh2 access-profile ssh2-acl
yes and still can login with other pc
Userlevel 3
Hm....that's strange. You should log a case with GTAC and have them look into the switch. I am sure it is just a small thing that needs to be changed. They could have a remote session with you and figure it out.
my switches are X250e-48pt i update the firmware from 12.5.4.5 to 15.3.5.2 and i install ssh moudel to install ssh is it related or something

and thanks for help

Best
Userlevel 7
Hi,

is the PC in the same subnet as the switch? Otherwise the connection will be across a router (or layer 3 switch) and the MAC address seen at the switch you want to log into is the router's MAC address.

Anyway, I am not sure that if you can use a MAC address match for the SSH access profile. The command reference says:

Match conditions:

  • Source-address—IPv4 and IPv6
  • Actions—Permit or Deny

The GTAC Knowledge articles pertaining to an SSH access profile mention IP addresses only as well:
Thanks,
Erik
The pc and vlan have the same subnet

Reply