Limit access to omniswitch

[creedless]

Hi,

I have a 6850 switch acting like a router.

It has an interface with a public IP.

Looking at my logs, i saw many attempts to login from external networks.

So I need to limit the remote access (telnet, ssh, webview) to my omsniswitch 6850 to just an external IP (ISP) and an internal VLAN.

How can i achieve this?

Do I must use ACLs? If so... can anyone please give me an example of it's configuration regarding this problem?

Thanks and regards,

Luis

[MWLosRios]

You would need something like this

policy service telnet destination tcp port 23
policy service ssh destination tcp port 22
policy service https destination port 443
policy service group mgmtports telnet ssh https
policy condition ExternalManagement source ip x.x.x.x destination network group Switch service group mgmtports
policy condition InternalManagement source vlan x destination network group Switch service group mgmtports
policy condition Management destination network group Switch service group mgmtports
policy action Allow disposition accept
policy action Block disposition drop
policy rule AllowExternalManagement precedence 300 condition ExternalManagement action Allow
policy rule AllowIntermalManagement precedence 250 condition InternalManagement action Allow
policy rule BlockManagement precedence 200 condition Management action Block

This will allow management access from external IP x.x.x.x and internal vlan x. You may also need to adjust it if you want to allow things like SNMP.

[benny]

First it is the best practise to disable the services/ports you don't use.

no ip service xyz (use question mark to find out more)

Create a policy which matches your IP address scheme. (Copied from Alcatel-Lucent TT 4125)

policy service HTTPS protocol 6 destination tcp port 443
policy service SSH protocol 6 destination tcp port 22
policy service TELNET protocol 6 destination tcp port 23
policy service FTP protocol 6 destination tcp port 21
policy service HTTP protocol 6 destination tcp port 80
policy service group ACCESS_PROTOCOL FTP SSH TELNET HTTPS HTTP
policy network group Management 128.251.16.218 mask 255.255.255.255 10.255.13.0 mask
255.255.255.0
policy network group SSH_HOSTS 10.255.14.146 mask 255.255.255.0
policy condition c1 source network group Management destination network group SSH_HOSTS
service group ACCESS_PROTOCOL
policy condition c2 source network group Management destination network group Switch
service group ACCESS_PROTOCOL
policy condition c3 source ip Any destination network group SSH_HOSTS service group
ACCESS_PROTOCOL
policy condition c4 source ip Any destination network group Switch service group
ACCESS_PROTOCOL
policy action ACCEPT
policy action DROP disposition drop
policy rule r1 precedence 2000 condition c1 action ACCEPT log
policy rule r2 precedence 2000 condition c2 action ACCEPT log
policy rule r3 precedence 2000 condition c3 action DROP log
policy rule r4 precedence 2000 condition c4 action DROP log

At least this should give you enough pointers to review the documentation in detail.

-benny

[creedless]

Many thanks!

It worked!

Just to remind that after entering all this settings you must enter "qos apply" to become active.

Regards,

Luis Afonso