Page 1 of 1
OS6900 ACL
Posted: 11 Dec 2024 19:35
by mspdog22
Hello
I am trying to write an ACL for os6900 layer 3 switch.
This switch is doing routing in a service provider network and we are trying to write an ACL that will only allow ssh traffic from our mgmt vlan 500.
the switch will have a mgmt ip address of 172.16.5.200 and we only want to allow ssh and web interface traffic from subnet 172.16.1.0/24 and 172.16.5.0/24.
Would anyone be able to assist in telling us how to complete this? We are moving from cisco over to ALE for our network needs and still learning.
Re: OS6900 ACL
Posted: 12 Dec 2024 04:01
by Cristek
Hi, something like this would work:
Code: Select all
policy network group "management subnets" 172.16.1.0/24 172.16.5.0/24
policy condition "management to sw" source network group "management subnets" destination network group Switch
policy condition "non-management to sw" source ip 0.0.0.0/0 destination network group Switch
policy action "allow"
policy action "deny" disposition deny
policy rule "allow management to sw" precedence 1000 condition "management to sw" action "allow"
policy rule "deny non-management to sw" precedence 900 condition "non-management to sw" action "deny"
qos apply
I'm being very explicit with the rules, but you can actually simplify this a little bit.
Re: OS6900 ACL
Posted: 12 Dec 2024 04:48
by mspdog22
is there a way to also limit snmp traffic from the 172.16.1.0/24 subnet and the 172.16.5.0/24 subnet
What i really want to do is lock this switch down to the outside world and only allow those subnet access to the switch itself for login, snmp etc etc
Re: OS6900 ACL
Posted: 13 Dec 2024 03:13
by Cristek
The example I posted blocks everything from all subnets (except the ones you manually added to the "management subnets" group).
The keyword 'Switch' represents the device so all protocols (ssh telnet snmp https etc) would fall under this.
Re: OS6900 ACL
Posted: 30 Dec 2024 02:55
by mspdog22
I applied this config and it cut everything on my switch.
We have public IP loaded onto this switch for internet routing to our end users.
We just do not want anyone to be able to access the switch but the layer 3 routing can still take place.
Re: OS6900 ACL
Posted: 08 Jan 2025 06:06
by silvio
Strange... the config from Cristek is correct. Only users within the management network have access to the switch. The routing through the switch is not affected by this rules. You can check with different ways the reason.
The easiest is to check the matched rules (show active policy rules).
For special services like snmp you can add in the allowed condition "management to sw" the service udp 161 (for snmp) as destination.
BR Silvio
Re: OS6900 ACL
Posted: 08 Jan 2025 13:36
by Cristek
That's weird, it shouldn't block everything else.
As per Silvio, you can change:
with:
Code: Select all
destination network group Switch destination udp-port 161
to specify additional parameters (in this case snmp port 161)