Policys .pol for Telnet/SSH/WEB access
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 19 2012 7:41AM
I cannot seem to lock down my Extreme 450e stack.
I have created Mgmt.pol as per the below
entry Mgmt_allow {
if {
source-address 192.168.1.249/32;
source-address x.x.x.x/28;
source-address y.y.y.y/32;
} then {
permit;
}
}
entry Mgmt_deny {
if {
} then {
deny;
}
}
I have then
Slot-1 xxxx # check policy Mgmt
Policy file check successful.
then
configure telnet access-profile Mgmt
however I can still telnet to the device. Could I ask what I am doing wrong.
(from lee_byatt)
I cannot seem to lock down my Extreme 450e stack.
I have created Mgmt.pol as per the below
entry Mgmt_allow {
if {
source-address 192.168.1.249/32;
source-address x.x.x.x/28;
source-address y.y.y.y/32;
} then {
permit;
}
}
entry Mgmt_deny {
if {
} then {
deny;
}
}
I have then
Slot-1 xxxx # check policy Mgmt
Policy file check successful.
then
configure telnet access-profile Mgmt
however I can still telnet to the device. Could I ask what I am doing wrong.
(from lee_byatt)
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 20 2012 1:27AM
Looks a bit complicated to me, try the form:
entry Mgmt_allow {
if match any {
source-address x.x.x.x/x;
source-address y.y.y.y/y;
} then {
permit;
}
}
By the way, this is fine for SSH/telnet but doesn't work for web access control - you can't use a policy file for that you have to enter it on the CLI as an access list. I have moaned about this many times but they haven't fixed it yet. (from David_Rickard)
Looks a bit complicated to me, try the form:
entry Mgmt_allow {
if match any {
source-address x.x.x.x/x;
source-address y.y.y.y/y;
} then {
permit;
}
}
By the way, this is fine for SSH/telnet but doesn't work for web access control - you can't use a policy file for that you have to enter it on the CLI as an access list. I have moaned about this many times but they haven't fixed it yet. (from David_Rickard)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 19 2012 3:01PM
Also try using counters and see if the policy is being hit.
(from Arpit_Bhatt)
Also try using counters and see if the policy is being hit.
(from Arpit_Bhatt)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 19 2012 2:59PM
Since the telnet access rule can only recognize source-address modifier. Can you modify your policy to include the following in the Mgmt_deny and let me know if that works for you.
source-address 0.0.0.0/0;
(from Arpit_Bhatt)
Since the telnet access rule can only recognize source-address modifier. Can you modify your policy to include the following in the Mgmt_deny and let me know if that works for you.
source-address 0.0.0.0/0;
(from Arpit_Bhatt)
