topic RE: Policys .pol for Telnet/SSH/WEB access in ExtremeSwitching (EXOS/Switch Engine)

Policys .pol for Telnet/SSH/WEB access

EtherNation_Use — Wed, 08 Jan 2014 05:52:00 GMT

Create Date: Apr 19 2012 7:41AM

I cannot seem to lock down my Extreme 450e stack.

I have created Mgmt.pol as per the below

entry Mgmt_allow {

if {

source-address 192.168.1.249/32;

source-address x.x.x.x/28;

source-address y.y.y.y/32;

} then {

permit;

}

}

entry Mgmt_deny {
if {
} then {
deny;
}
}

I have then

Slot-1 xxxx # check policy Mgmt
Policy file check successful.

then

configure telnet access-profile Mgmt

however I can still telnet to the device. Could I ask what I am doing wrong.

(from lee_byatt)

RE: Policys .pol for Telnet/SSH/WEB access

EtherNation_Use — Wed, 08 Jan 2014 05:52:00 GMT

Create Date: Apr 19 2012 2:59PM

Since the telnet access rule can only recognize source-address modifier. Can you modify your policy to include the following in the Mgmt_deny and let me know if that works for you.

source-address 0.0.0.0/0;

(from Arpit_Bhatt)

RE: Policys .pol for Telnet/SSH/WEB access

EtherNation_Use — Wed, 08 Jan 2014 05:52:00 GMT

Create Date: Apr 19 2012 3:01PM

Also try using counters and see if the policy is being hit.

(from Arpit_Bhatt)

RE: Policys .pol for Telnet/SSH/WEB access

EtherNation_Use — Wed, 08 Jan 2014 05:52:00 GMT

Create Date: Apr 20 2012 1:27AM

Looks a bit complicated to me, try the form:

entry Mgmt_allow {
if match any {
source-address x.x.x.x/x;
source-address y.y.y.y/y;
} then {
permit;
}
}

By the way, this is fine for SSH/telnet but doesn't work for web access control - you can't use a policy file for that you have to enter it on the CLI as an access list. I have moaned about this many times but they haven't fixed it yet. (from David_Rickard)