Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1798
Views
0
Helpful
10
Replies

SF220 : Management Profile BUG: Network Mask Format Mismatch

Erwan LE BIHAN
Level 1
Level 1

‎10-12-2020 05:14 AM

Hi all.

I will open a case in TAC, but i found out a bug in latest SF 220 Firmware 1.2.0.3.

Let's say you want to restrict access to the switch using Management Access Profiles & Rules.

I'm allowed to write a new rule, let's name it #1, Allow All management method, All interfaces, and filter on IpV4:

IP Address : 172.16.3.0 

MASK 255.255.255.0 or 24. (As the range is 0-32).

All is correctly displayed on the web interface (if you enter 24 => 255.255.255.0) and Prefix Length is 24 on the Access Profiles Tables.

This translate to something like :

management access-list MGMT_LAN

sequence 1 permit ip 172.16.3.0/255.255.255.0 interfaces all service all

management access-class MGMT_LAN

 

And it doesn't work all. the switch is unreachable.

BUT

if you write something silly (or not so, knowing Cisco...)

MASK: 0.0.0.255

Which is not correctly displayed in access profiles table

and is translated to :

sequence 1 permit ip 172.16.3.0/0.0.0.255 interfaces all service all

It works: only PCs in 172.16.3.0/24 are allowed to connect.

(tested also with 0.0.0.7 and yes, it restricts to the 6 IPs in this subnet.)

 

=> So there's a glitch : Web Interface is expecting a standard CIDR netmask while internal config is expecting a regular Cisco ACL netmask.

 

 

Labels:
0 Helpful
10 Replies 10

Martin Aleksandrov
Cisco Employee
Cisco Employee

‎10-13-2020 05:15 AM

Hello Erwan,

 

 

Can you please share a screenshot of your Access Profile Name page you have already configured? The switch should not accept entering the wildcard mask that applies to the Source IP address and normally displays an error "Value is an illegal network mask/IP address" when you try to put 0.0.0.255 for example. How do you try to configure that Access Management - through the CLI or GUI?

 

Regards,

Martin

0 Helpful

Erwan LE BIHAN
Level 1
Level 1
In response to Martin Aleksandrov

‎10-14-2020 12:25 AM

Hi.

The case is already opened & acknowledged by SMB TAC. 

For example, if you want to configure to allow 172.16.3.0/24 to connect, one should enter;

 

All is correctly displayed (255.255.255.0 eq /24 eq Prefix length in Access Profiles Tables.

But it doesn't work. As soon as you apply it, you lose connectivity to the switch from any IP (even from 172.16.3.0/24 range)

 

If you want to make it works, you have to enter mask as a wildcard ACL mask.

And bingo: you retain access from 172.16.3.0/24 as intented while access is denied from outside 172.16.3.0/24.

BAD_MGMT_SF220_Annotation 2020-10-14 085633.pngGOOD_MGMT_Annotation 2020-10-14 085908.png

0 Helpful

Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to Erwan LE BIHAN

‎10-14-2020 01:00 AM

Hello Erwan,

 

Thank you for your prompt reply.

 

You definitely hit perhaps a new bug with the latest 220 firmware release. I did the same scenario with the latest 2.5.5.47 on SG250 and all works fine. Did you try to downgrade the firmware release to the prior 1.1.4.8 and test the access rules? 

 

FYI we haven't filed such a bug with the switches so far. Hopefully, this will be resolved soon.

 

Regards,

Martin

0 Helpful

Erwan LE BIHAN
Level 1
Level 1
In response to Martin Aleksandrov

‎10-14-2020 01:29 AM

Hi. The bug was also present on the old stock installed FW. I did not mark down which version was installed out of the box but it exhibited the same defect.

I had a contact with Victor Masivi / Alex Kafedzhiyski -X yesterday and today.

Also, note that the SG250 and the SF220 are not using the same Firmware family. 

 

 

0 Helpful

Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to Erwan LE BIHAN

‎10-14-2020 01:37 AM

Hi Erwan,
Yes, that is smth I am aware of. Please post your feedback once you have an update from Victor.

Regards,
Martin
0 Helpful

MP-Acumera
Level 1
Level 1

‎11-01-2021 10:00 AM

This seems to be an open issue with SF220-24 with Firmware 1.2.1.2.  Any ideas on how to fix via the web interface? Or provide a quick CLI tutorial?

Preview file
166 KB
0 Helpful

Erwan LE BIHAN
Level 1
Level 1
In response to MP-Acumera

‎11-08-2021 01:49 AM

Hi.
AFAIK bug is closed, so there's no need anymore to use a trick: you use the GUI as intended (255.255.255.0 or /24 in your case) and it should works.
0 Helpful

MP-Acumera
Level 1
Level 1
In response to Erwan LE BIHAN

‎11-08-2021 08:45 AM

Probably should be reopened based on my experience.

 

SF220-24 with Firmware 1.2.1.2

 

I cannot added IP address and subnet combo with anything you provided.  Is there a format I am not following?

Preview file
157 KB
Preview file
179 KB
Preview file
159 KB
0 Helpful

Erwan LE BIHAN
Level 1
Level 1
In response to MP-Acumera

‎11-09-2021 12:39 AM

Hi.

My bad, I did not had a look at your screenshot.

My bug was about "Access Profile".

You are trying to add an ACL, not an access profile.

But you're not alone: I alse have the same errors if use the latest FW version 1.2.1.2

You should open a new Bug Report at @tac , as it's a new bug, not present in previous release (tested with 1.2.0.4).

 

2021-11-09 093056-1.2.0.4-works.png2021-11-09 093056-1.2.1.2-BAD.png

Workaround: you can also use cli to add your ACLs.

ip access-list extended "MyACL"

 sequence 1 permit ip 192.168.4.0/255.255.255.0 192.168.5.0/255.255.255.0

 

 

0 Helpful

MP-Acumera
Level 1
Level 1

‎11-09-2021 06:26 AM

Ok.  I'll open a new bug.  It seemed to me this was the same issue underlying the gui code.  Thank you for the cli example.  I had that figured out using some other tools.  But, I have some non-Cisco-phytes who struggle with cli level stuff but love to use guis ¯\_(ツ)_/¯.  Thanks again.

0 Helpful
Customers Also Viewed These Support Documents