Is it possible to allow authentication on a per port basis. I want to stop remote access on certain ports. AOS 5.1.6.424.R01
Thanks
aaa authentication 6648
-
benny
Yes,
You can activate 802.1x on a per-port basis. The easiest way would be to use LPS (Learned Port Security) but 802.1x is also a good option. If you want to completely "shut down" ports, it is also possible to do that with the "interface slot/port admin down" command (You won't even get a link).
-benny
You can activate 802.1x on a per-port basis. The easiest way would be to use LPS (Learned Port Security) but 802.1x is also a good option. If you want to completely "shut down" ports, it is also possible to do that with the "interface slot/port admin down" command (You won't even get a link).
-benny
-
doctora
-
benny
Hi Mark,
You can use the "no ip service" command to switch off ports on the switch. This way the protocol port will be closed and you can't reach the service any more.
e.g.Hope that helps... 
Apologies for the misunderstanding.
P.S. In case you want to allow the administrator access only from specific physical ports to the switch you'll have to look into the ACL section of the documentation.
I don't think that a port based approach would be a good idea, I would recommend to limit the access to a specific ip address range.
-benny
You can use the "no ip service" command to switch off ports on the switch. This way the protocol port will be closed and you can't reach the service any more.
e.g.
Code: Select all
-> show configuration snapshot ip
! IP :
ip service all
ip interface "vlan-1" address 192.168.10.1 mask 255.255.255.0 vlan 1 mtu 1500 ifindex 1
-> show ip service
Name Port Status
----------------------+-------+---------
ftp 21 enabled
ssh 22 enabled
telnet 23 enabled
udp-relay 67 enabled
http 80 [B][color=Red]enabled[/color][/B]
network-time 123 enabled
snmp 161 enabled
avlan-telnet 259 enabled
avlan-http 260 enabled
avlan-secure-http 261 enabled
secure-http 443 enabled
avlan-http-proxy 262 enabled
proprietary 1024 enabled
proprietary 1025 enabled
-> no ip service http
-> show ip service
Name Port Status
----------------------+-------+---------
ftp 21 enabled
ssh 22 enabled
telnet 23 enabled
udp-relay 67 enabled
http 80 [B][color=Lime]disabled[/color][/B]
network-time 123 enabled
snmp 161 enabled
avlan-telnet 259 enabled
avlan-http 260 enabled
avlan-secure-http 261 enabled
secure-http 443 enabled
avlan-http-proxy 262 enabled
proprietary 1024 enabled
proprietary 1025 enabled
-> show configuration snapshot ip
! IP :
ip service ftp
ip service ssh
ip service telnet
ip service udp-relay
no ip service http
ip service network-time
ip service snmp
ip service avlan-telnet
ip service avlan-http
ip service avlan-secure-http
ip service secure-http
ip service avlan-http-proxy
ip service port 1024
ip service port 1025
ip interface "vlan-1" address 192.168.10.1 mask 255.255.255.0 vlan 1 mtu 1500 ifindex 1Apologies for the misunderstanding.
P.S. In case you want to allow the administrator access only from specific physical ports to the switch you'll have to look into the ACL section of the documentation.
I don't think that a port based approach would be a good idea, I would recommend to limit the access to a specific ip address range.
-benny
-
doctora
Thanks for the help I had not considered using an ACL. I don't get to play very often and so far this has been fun.
policy condition denyTelnet ip protocol 6 destination ip port 23
policy condition allowTelnet source ip 10.10.31.138 ip protocol 6 destination ip port 23
policy action Allow
policy action Block disposition deny
policy rule BlockTelnet condition denyTelnet action Block
policy rule AllowTelnet condition allowTelnet action Allow
I know there is more above and below but does that look close. This is a live switch I don't want to mess up. I am going to setup a test switch while I wait your response.
Thanks again
Mark
policy condition denyTelnet ip protocol 6 destination ip port 23
policy condition allowTelnet source ip 10.10.31.138 ip protocol 6 destination ip port 23
policy action Allow
policy action Block disposition deny
policy rule BlockTelnet condition denyTelnet action Block
policy rule AllowTelnet condition allowTelnet action Allow
I know there is more above and below but does that look close. This is a live switch I don't want to mess up. I am going to setup a test switch while I wait your response.
Thanks again
Mark
-
benny
Your rule will deny any telnet traffic in the network (not only to the switch). If this is what you want, you can do it.
I recommend to build a rule which uses the built-in group "Switch" which will always automatically contain all IP addresses of the switch.In addition I strongly recommend to look into the "precedence" command which will put your ACLs in order. (You need to make sure that the switch is looking at the rule "allowing you to enter" before looking at the "catch all and deny the traffic" rule.)
-benny
I recommend to build a rule which uses the built-in group "Switch" which will always automatically contain all IP addresses of the switch.
Code: Select all
-> show policy network group
Group Name From Entries
Switch blt 192.168.10.1
-benny
-
doctora
I understand and I added a specific IP address so other Telnet/SSH requests will pass thorugh.
Thanks for pointing out precedence. I was just reentering everything in the proper order. It was a pain.
It works great. I can access form where I need and when I try from areas I should not be able to access it fails. You would think it would be perfect. but this is not a perfect world.
The reason this came up is we noticed and attempt to SSH into our system every 5 minutes from random IPs. Even after I setup the ACL to stop it and it does from my tests I still get the SSH entries in the log files. Does SSH use ports other than 22. I am blocking both udp and tcp.
If you need I will post any data that might be helpful tomorrow.
Thanks
Mark
Thanks for pointing out precedence. I was just reentering everything in the proper order. It was a pain.
It works great. I can access form where I need and when I try from areas I should not be able to access it fails. You would think it would be perfect. but this is not a perfect world.
The reason this came up is we noticed and attempt to SSH into our system every 5 minutes from random IPs. Even after I setup the ACL to stop it and it does from my tests I still get the SSH entries in the log files. Does SSH use ports other than 22. I am blocking both udp and tcp.
If you need I will post any data that might be helpful tomorrow.
Thanks
Mark
-
benny
Telnet uses 23, SSH uses 22. If you could please post the following output:
This should help to find out what is going wrong.
-benny
Code: Select all
-> show active policy rule
-> show qos config
-> show configuration snapshot qos-benny
-
doctora
I hope this helps. I changed the ip address to protect the inoccent. If I go home and try to SSH in it will not work I had another person try and it did not work for them either. I can SSH while at work. Why would I still get random SSH connections in my swlog. The ip address are definitally not 192.168.254.4 The bandwidth portion works fine. The other port groups are not in use.
Internet Gateway-> show active policy rule
Policy From Prec Enab Act Refl Log Save Matches
AllowTCPSSH cli 5 Yes Yes No No Yes 13
( L3): SSHCond -> Allow
MaxBandRule cli 0 Yes Yes No No Yes 239
(L2/3): BandWidthRestrict -> MaxBandWidth
BlockSSH cli 0 Yes Yes No No Yes 0
( L3): NoSSHCond -> Deny
BlockUDPSSH cli 0 Yes Yes No No Yes 0
( L3): NoUDPSSHCond -> Deny
Internet Gateway-> show qos config
QoS Configuration:
Enabled : Yes
Pending changes : None
Classifier:
Default queues : 4
Trusted ports : No
Classify bridged at L3 : No
Flow table timeout : 300 seconds
Fragment table timeout : 10 seconds
Reflexive flow timeout : n/a
NAT flow timeout : n/a
Classify fragments : No
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP disposition : accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Debug : info
Internet Gateway-> show configuration snapshot qos
! QOS :
policy port group Inside 1/15-25
policy port group OutSide 1/1
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition NoSSHCond destination ip 192.168.254.254 ip protocol 6 destination ip port 22
policy condition NoUDPSSHCond destination ip 192.168.254.254 ip protocol 17 destination ip port 22
policy condition SSHCond source ip 192.168.254.4 ip protocol 6 destination ip port 22
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule AllowTCPSSH precedence 5 condition SSHCond action Allow
policy rule MaxBandRule condition BandWidthRestrict action MaxBandWidth
policy rule BlockSSH condition NoSSHCond action Deny
policy rule BlockUDPSSH condition NoUDPSSHCond action Deny
qos apply
Thanks.
Internet Gateway-> show active policy rule
Policy From Prec Enab Act Refl Log Save Matches
AllowTCPSSH cli 5 Yes Yes No No Yes 13
( L3): SSHCond -> Allow
MaxBandRule cli 0 Yes Yes No No Yes 239
(L2/3): BandWidthRestrict -> MaxBandWidth
BlockSSH cli 0 Yes Yes No No Yes 0
( L3): NoSSHCond -> Deny
BlockUDPSSH cli 0 Yes Yes No No Yes 0
( L3): NoUDPSSHCond -> Deny
Internet Gateway-> show qos config
QoS Configuration:
Enabled : Yes
Pending changes : None
Classifier:
Default queues : 4
Trusted ports : No
Classify bridged at L3 : No
Flow table timeout : 300 seconds
Fragment table timeout : 10 seconds
Reflexive flow timeout : n/a
NAT flow timeout : n/a
Classify fragments : No
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP disposition : accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Debug : info
Internet Gateway-> show configuration snapshot qos
! QOS :
policy port group Inside 1/15-25
policy port group OutSide 1/1
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition NoSSHCond destination ip 192.168.254.254 ip protocol 6 destination ip port 22
policy condition NoUDPSSHCond destination ip 192.168.254.254 ip protocol 17 destination ip port 22
policy condition SSHCond source ip 192.168.254.4 ip protocol 6 destination ip port 22
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule AllowTCPSSH precedence 5 condition SSHCond action Allow
policy rule MaxBandRule condition BandWidthRestrict action MaxBandWidth
policy rule BlockSSH condition NoSSHCond action Deny
policy rule BlockUDPSSH condition NoUDPSSHCond action Deny
qos apply
Thanks.
Hi doctora,
try this command: "qos classifyl3 bridged " - Configures the switch to classify bridged traffic using Layer 3 information.
If this don't help:
your remaining config seems to be fine. But there is no matched traffic for both deny-rules. In my experience you have to give not so much conditions in one "policy condition". Try with fewer entries - that you get some matches:
first: policy condition NoSSHCond destination ip 192.168.254.254 => you should see some matches (if you try to connect from the wrong ip-source)
then: policy condition NoSSHCond destination ip 192.168.254.254 destination ip port 22
... so long if there aren't any matches. So you can see the issue.
with
-> show active policy rule you can see after 1 minute (= Stats interval) the matches.
Why do you need to deny only ssh-access?
I have usee often successful the following config, to allow access only from three ip-adresses (with R6-switches, but it should also work at the 6600):
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
-> policy action allow_mgmt
-> policy action deny_mgmt disposition deny
-> policy rule allow_mgmt precedence 100 condition allow_mgmt action allow_mgmt
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt
-> qos apply
There is a default network group “Switch”, with all ip-interfaces of the switch (-> show policy network group)
with the following I allow only the wished services for access:
-> no ip service all
-> ip service ftp ssh udp-relais network-time snmp
I hope this is helpfull to you.
regards Silvio
try this command: "qos classifyl3 bridged " - Configures the switch to classify bridged traffic using Layer 3 information.
If this don't help:
your remaining config seems to be fine. But there is no matched traffic for both deny-rules. In my experience you have to give not so much conditions in one "policy condition". Try with fewer entries - that you get some matches:
first: policy condition NoSSHCond destination ip 192.168.254.254 => you should see some matches (if you try to connect from the wrong ip-source)
then: policy condition NoSSHCond destination ip 192.168.254.254 destination ip port 22
... so long if there aren't any matches. So you can see the issue.
with
-> show active policy rule you can see after 1 minute (= Stats interval) the matches.
Why do you need to deny only ssh-access?
I have usee often successful the following config, to allow access only from three ip-adresses (with R6-switches, but it should also work at the 6600):
-> policy network group mgmt-pc 10.16.10.1 10.16.10.2 10.16.10.3
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
-> policy action allow_mgmt
-> policy action deny_mgmt disposition deny
-> policy rule allow_mgmt precedence 100 condition allow_mgmt action allow_mgmt
-> policy rule deny_mgmt precedence 10 condition deny_mgmt action deny_mgmt
-> qos apply
There is a default network group “Switch”, with all ip-interfaces of the switch (-> show policy network group)
with the following I allow only the wished services for access:
-> no ip service all
-> ip service ftp ssh udp-relais network-time snmp
I hope this is helpfull to you.
regards Silvio
