VSP 8404c - Control Path lock down

aksidents — Wed, 04 Dec 2019 00:27:46 GMT

Hey Everyone,

I am trying to limit access to who can access the VSP 8404’s we have on our network. Under access policies, there is default policy which I disabled and then put this:

access-policy 2 *name*
access-policy 2 accesslevel rwa
access-policy 2 access-strict
access-policy 2 network 10.0.0.0 24
access-policy 2 ssh
access-policy 2 enable

However, I am still able to access the device from outside the 10.0.0.0/24 network. Is that the correct syntax?

Re: VSP 8404c - Control Path lock down

Jongseok_Won — Wed, 04 Dec 2019 13:24:35 GMT

Hi,

Below is an example how to configure access policy on VSP.

*Allow ssh/http only for 10.120.40.0/24 and deny any other access

# ACCESS-POLICY CONFIGURATION

access-policy
access-policy 1 enable
access-policy 1 precedence 128
access-policy 1 mode deny accesslevel rwa
access-policy 1 access-strict
access-policy 1 http ssh telnet ftp
no access-policy 1 rlogin
no access-policy 1 snmpv3
no access-policy 1 tftp

access-policy 2
access-policy 2 enable
access-policy 2 mode allow
access-policy 2 precedence 10
access-policy 2 name "Allow_ssh_mgmt" network 10.120.40.0 24 accesslevel rwa
access-policy 2 access-strict
access-policy 2 http ssh
no access-policy 2 rlogin
no access-policy 2 snmpv3
no access-policy 2 telnet

no access-policy 2 tftp
no access-policy 2 ftp

VSP4K-2:1(config)#show access-policy
************************************************************************************
Command Execution Time: Wed Dec 04 14:00:43 2019 KST
************************************************************************************

AccessPolicyEnable: off

                  Id: 1
                Name: default
        PolicyEnable: true
                Mode: deny
             Service: ftp|http|telnet|ssh
          Precedence: 128
         NetAddrType: any
             NetAddr: N/A
             NetMask: N/A
     TrustedHostAddr: N/A
TrustedHostUserName: none
         AccessLevel: readWriteAll
        AccessStrict: true
               Usage: 1

                  Id: 2
                Name: Allow_ssh_mgmt
        PolicyEnable: true
                Mode: allow
             Service: http|ssh
          Precedence: 10
         NetAddrType: ipv4
             NetAddr: 10.120.40.0
             NetMask: 255.255.255.0
     TrustedHostAddr: 0.0.0.0
TrustedHostUserName: none
         AccessLevel: readWriteAll
        AccessStrict: true
               Usage: 10

*Logs when non-allowed user tries to access via SSH

CP1 [12/04/19 13:57:42.070:KST] 0x00004745 00000000 GlobalRouter SNMP INFO ssh connection access from IP 10.120.41.153 is denied by policy id 1

CP1 [12/04/19 14:14:19.359:KST] 0x00004746 00000000 GlobalRouter SNMP INFO snmpv3 connection access from IP 10.120.41.211 is denied by no matching policy
CP1 [12/04/19 14:14:19.146:KST] 0x00004745 00000000 GlobalRouter SNMP INFO telnet connection access from IP 10.120.41.153 is denied

*Please find the VSP management access security from link below.

https://downloads.avaya.com/css/P8/documents/101009371

Re: VSP 8404c - Control Path lock down

aksidents — Thu, 05 Dec 2019 00:59:40 GMT

Thanks that worked perfectly!

topic Re: VSP 8404c - Control Path lock down in ExtremeSwitching (VSP/Fabric Engine)

VSP 8404c - Control Path lock down

Re: VSP 8404c - Control Path lock down

Re: VSP 8404c - Control Path lock down