11-05-2013 10:55 AM
We recently got a SG300-10 switch and we are in need of some assistance with creating an access list for SSH access. The switch is running
SW version 1.3.0.62. We would like to make it so SSH access is only allowed from the 192.168.1.0 network. We would also like to have every attempt to tcp port 22 for SSH logged. Right, now SSH is accessible from any IP including external (Internet). Here is what we have at the moment. The switch has an IP of 192.168.1.7.
...
ip access-list extended SSH_access
permit ip 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0
exit
line ssh
exec-timeout 0
exit
...
External users (Internet) are still able to try and SSH in. Please advise.
Solved! Go to Solution.
11-07-2013 05:11 AM
You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.
For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:
management access-list SSH_access
permit ip-source 192.168.1.0 mask /24 service ssh
permit service https
deny
exit
management access-class SSH_access
would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.
HTH
Tilman
11-06-2013 11:13 AM
Off the top of my head (untested)
permit tcp 192.168.1.0 0.0.0.255 any 192.168.1.7 0.0.0.0 22
deny tcp any any 192.168.1.7 0.0.0.0 22
permit ip any any
11-07-2013 05:11 AM
You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.
For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:
management access-list SSH_access
permit ip-source 192.168.1.0 mask /24 service ssh
permit service https
deny
exit
management access-class SSH_access
would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.
HTH
Tilman
11-07-2013 08:22 AM
Thanks for the information. We will try this out tomorrow night and let you know. Thanks.
11-11-2013 06:08 AM
Tilman,
That worked. Here is the statements needed. This allows for internal access to the SSH and HTTPS services.
management access-list MGMT_ACCESS
permit ip-source 192.168.1.0 mask 255.255.255.0 service ssh
permit ip-source 192.168.1.0 mask 255.255.255.0 service https
deny ip
exit
management access-class MGMT_ACCESS
Thanks for the assistance.
11-11-2013 06:55 AM
Thanks for the feedback.
Glad I could help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide