Hello
I am trying to write an ACL for os6900 layer 3 switch.
This switch is doing routing in a service provider network and we are trying to write an ACL that will only allow ssh traffic from our mgmt vlan 500.
the switch will have a mgmt ip address of 172.16.5.200 and we only want to allow ssh and web interface traffic from subnet 172.16.1.0/24 and 172.16.5.0/24.
Would anyone be able to assist in telling us how to complete this? We are moving from cisco over to ALE for our network needs and still learning.
OS6900 ACL
Re: OS6900 ACL
Hi, something like this would work:
I'm being very explicit with the rules, but you can actually simplify this a little bit.
Code: Select all
policy network group "management subnets" 172.16.1.0/24 172.16.5.0/24
policy condition "management to sw" source network group "management subnets" destination network group Switch
policy condition "non-management to sw" source ip 0.0.0.0/0 destination network group Switch
policy action "allow"
policy action "deny" disposition deny
policy rule "allow management to sw" precedence 1000 condition "management to sw" action "allow"
policy rule "deny non-management to sw" precedence 900 condition "non-management to sw" action "deny"
qos apply
Re: OS6900 ACL
is there a way to also limit snmp traffic from the 172.16.1.0/24 subnet and the 172.16.5.0/24 subnet
What i really want to do is lock this switch down to the outside world and only allow those subnet access to the switch itself for login, snmp etc etc
What i really want to do is lock this switch down to the outside world and only allow those subnet access to the switch itself for login, snmp etc etc
Re: OS6900 ACL
The example I posted blocks everything from all subnets (except the ones you manually added to the "management subnets" group).
The keyword 'Switch' represents the device so all protocols (ssh telnet snmp https etc) would fall under this.
The keyword 'Switch' represents the device so all protocols (ssh telnet snmp https etc) would fall under this.
Re: OS6900 ACL
I applied this config and it cut everything on my switch.
We have public IP loaded onto this switch for internet routing to our end users.
We just do not want anyone to be able to access the switch but the layer 3 routing can still take place.
We have public IP loaded onto this switch for internet routing to our end users.
We just do not want anyone to be able to access the switch but the layer 3 routing can still take place.
Re: OS6900 ACL
Strange... the config from Cristek is correct. Only users within the management network have access to the switch. The routing through the switch is not affected by this rules. You can check with different ways the reason.
The easiest is to check the matched rules (show active policy rules).
For special services like snmp you can add in the allowed condition "management to sw" the service udp 161 (for snmp) as destination.
BR Silvio
The easiest is to check the matched rules (show active policy rules).
For special services like snmp you can add in the allowed condition "management to sw" the service udp 161 (for snmp) as destination.
BR Silvio
Re: OS6900 ACL
That's weird, it shouldn't block everything else.
As per Silvio, you can change:
with:
to specify additional parameters (in this case snmp port 161)
As per Silvio, you can change:
Code: Select all
destination network group SwitchCode: Select all
destination network group Switch destination udp-port 161