How to setup access list on SSH
-
networkz
How to setup access list on SSH
I am trying to set an access list to allow certain ip's to access ssh. How would I configure this access list on the alcatel 6920? AOS 7.3.
Re: How to setup access list on SSH
Hi,
this will be similar to the R6-switches. So you can try with the informations from here: viewtopic.php?f=189&t=11947
there is an example to allow access only from three ip-adresses :
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
-> policy action allow_mgmt
-> policy action deny_mgmt disposition deny
-> policy rule allow_mgmt precedence 100 condition allow_mgmt action allow_mgmt
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt
-> qos apply
At all switches is a default network group “Switch”, with all ip-interfaces of the switch (-> show policy network group)
you can use also services to make this ACL only for SSH. But if you allow remote access to the switch only via SSH than you can use "aaa authentication" and/or "ip services" to allow only the wished one to reach the switch.
regards
Silvio
this will be similar to the R6-switches. So you can try with the informations from here: viewtopic.php?f=189&t=11947
there is an example to allow access only from three ip-adresses :
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
-> policy action allow_mgmt
-> policy action deny_mgmt disposition deny
-> policy rule allow_mgmt precedence 100 condition allow_mgmt action allow_mgmt
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt
-> qos apply
At all switches is a default network group “Switch”, with all ip-interfaces of the switch (-> show policy network group)
you can use also services to make this ACL only for SSH. But if you allow remote access to the switch only via SSH than you can use "aaa authentication" and/or "ip services" to allow only the wished one to reach the switch.
regards
Silvio
-
networkz
Re: How to setup access list on SSH
in the config,
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3 ...how to include subnet?
-> policy action deny_mgmt disposition deny
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt -> is this two statements mandatory? do I have to always include a deny statement? of if its not in allowed list then it must be denied?
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3 ...how to include subnet?
-> policy action deny_mgmt disposition deny
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt -> is this two statements mandatory? do I have to always include a deny statement? of if its not in allowed list then it must be denied?
Re: How to setup access list on SSH
-> policy network group mgmt-pc 10.16.10.0 mask 255.255.255.0-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3 ...how to include subnet?
default qos-setting in the switches is allow all traffic.-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt -> is this two statements mandatory? do I have to always include a deny statement? of if its not in allowed list then it must be denied?
with my example you deny all traffic to the switch ip. But for management I must allow this traffic before (with higher precedence).
