topic RE: Network zones with access profiles? in ExtremeSwitching (EXOS/Switch Engine)

Network zones with access profiles?

Dave_Martin — Tue, 02 Aug 2016 21:04:00 GMT

I am attempting to convert telnet/ssh access-profiles from dynamic acls to a static acl with network zones, but when I switch telnet to use this acl, it refuses connections that should be allowed.

Experimenting, it appears that access-profiles don't work with network zones; when I replace the source-zone with the corresponding source-address directives, it works.

X460-24t 16.1.3.6

With network zone (example simplified, the real one contains multiple networks and addresses):
configure access-list network-zone trusted-networks add ipaddress x.x.x.145 255.255.255.255

entry permit-trusted-networks {
if match any {
source-zone trusted-networks;
} then {
permit;
}
}

Connection refusedWith source-address:
entry permit-trusted-networks {
if match any {
source-address x.x.x.145/32;
} then {
permit;
}
}

telnet session telnet4 on /dev/ptyb4

Unauthorized access prohibited!

login: Login timed out!

RE: Network zones with access profiles?

Karthik_Mohando — Wed, 03 Aug 2016 06:18:00 GMT

Hi Dave,

Welcome to the Hub....

I could see this limitation for SSH access profile, i believe this could be applicable for telnet access profile as well.
"Only source-address match is supported"

you can take a look at this article for more help on the same.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access

RE: Network zones with access profiles?

Dave_Martin — Wed, 03 Aug 2016 20:56:00 GMT

This is unfortunate. I also discovered I can't use the same policy file with telnet/ssh/snmp and with ingress/egress (which is what led me to use network-zones in the first place), so I'll have multiple places to update if the address list changes, instead of just one.