topic Issue with SSH ACL policy on older switch models in ExtremeSwitching (EXOS/Switch Engine)

Issue with SSH ACL policy on older switch models

MartinS — Tue, 17 Oct 2023 16:00:35 GMT

I am creating a new SSH ACL policy. I've already started rolling it out and applying it to various EXOS switches across our estate. It has been absolutely fine on the X460-G2-48p-10GE4-Base units, but it is not working correctly on any of the X460-48p models I've tried it on:

vi My_SSH_Policy.pol

entry AllowTheseSubnets {

if match any {

source-address 10.0.0.0 /24 ;

source-address 10.0.1.0 /24 ;

} then {

permit;

}

It is displayed when issuing a simple 'ls':

Slot-1 SW1.1 # ls

-rw-r--r-- 1 admin admin 966 Oct 17 14:52 My_SSH_Policy.pol

Slot-1 SW1.2 #

... but it is not recognized if I try to apply it to something:

Slot-1 SW1.2 #

Slot-1 SW1.2 # configure ssh2 access-profile My_SSH_Policy.pol

Error: Policy /config/My_SSH_Policy.pol.pol does not exist on file system

Configuration failed on backup Node, command execution aborted!

Slot-1 SW1.3 #

Slot-1 SW1.3 # check pol My_SSH_Policy.pol

Error: Policy My_SSH_Policy.pol does not exist on file

Slot-1 SW1.4 #

Why is it not recognized on the X460-48p models ?

Re: Issue with SSH ACL policy on older switch models

ar1 — Wed, 18 Oct 2023 13:41:19 GMT

Hi,

the error message looks like that you shoud not ud .pol:
> Slot-1 SW1.2 # configure ssh2 access-profile My_SSH_Policy.pol
> Error: Policy /config/My_SSH_Policy.pol.pol does not exist on file system
> Configuration failed on backup Node, command execution aborted!

Whats happend if you try (without .pol):
configure ssh2 access-profile My_SSH_Policy

Regards,
Axel

Re: Issue with SSH ACL policy on older switch models

MartinS — Thu, 19 Oct 2023 11:48:53 GMT

When I try that it works!