SF220 : Management Profile BUG: Network Mask Format Mismatch

Erwan LE BIHAN · ‎10-12-2020

Hi all.

I will open a case in TAC, but i found out a bug in latest SF 220 Firmware 1.2.0.3.

Let's say you want to restrict access to the switch using Management Access Profiles & Rules.

I'm allowed to write a new rule, let's name it #1, Allow All management method, All interfaces, and filter on IpV4:

IP Address : 172.16.3.0

MASK 255.255.255.0 or 24. (As the range is 0-32).

All is correctly displayed on the web interface (if you enter 24 => 255.255.255.0) and Prefix Length is 24 on the Access Profiles Tables.

This translate to something like :

management access-list MGMT_LAN

sequence 1 permit ip 172.16.3.0/255.255.255.0 interfaces all service all

management access-class MGMT_LAN

And it doesn't work all. the switch is unreachable.

BUT

if you write something silly (or not so, knowing Cisco...)

MASK: 0.0.0.255

Which is not correctly displayed in access profiles table

and is translated to :

sequence 1 permit ip 172.16.3.0/0.0.0.255 interfaces all service all

It works: only PCs in 172.16.3.0/24 are allowed to connect.

(tested also with 0.0.0.7 and yes, it restricts to the 6 IPs in this subnet.)

=> So there's a glitch : Web Interface is expecting a standard CIDR netmask while internal config is expecting a regular Cisco ACL netmask.

Martin Aleksandrov · ‎10-13-2020

Hello Erwan,

Can you please share a screenshot of your Access Profile Name page you have already configured? The switch should not accept entering the wildcard mask that applies to the Source IP address and normally displays an error "Value is an illegal network mask/IP address" when you try to put 0.0.0.255 for example. How do you try to configure that Access Management - through the CLI or GUI?

Regards,

Martin

Erwan LE BIHAN · ‎10-14-2020

Hi.

The case is already opened & acknowledged by SMB TAC.

For example, if you want to configure to allow 172.16.3.0/24 to connect, one should enter;

All is correctly displayed (255.255.255.0 eq /24 eq Prefix length in Access Profiles Tables.

But it doesn't work. As soon as you apply it, you lose connectivity to the switch from any IP (even from 172.16.3.0/24 range)

If you want to make it works, you have to enter mask as a wildcard ACL mask.

And bingo: you retain access from 172.16.3.0/24 as intented while access is denied from outside 172.16.3.0/24.

Martin Aleksandrov · ‎10-14-2020

Hello Erwan,

Thank you for your prompt reply.

You definitely hit perhaps a new bug with the latest 220 firmware release. I did the same scenario with the latest 2.5.5.47 on SG250 and all works fine. Did you try to downgrade the firmware release to the prior 1.1.4.8 and test the access rules?

FYI we haven't filed such a bug with the switches so far. Hopefully, this will be resolved soon.

Regards,

Martin

Erwan LE BIHAN · ‎10-14-2020

Hi. The bug was also present on the old stock installed FW. I did not mark down which version was installed out of the box but it exhibited the same defect.

I had a contact with Victor Masivi / Alex Kafedzhiyski -X yesterday and today.

Also, note that the SG250 and the SF220 are not using the same Firmware family.

Martin Aleksandrov · ‎10-14-2020

Hi Erwan,
Yes, that is smth I am aware of. Please post your feedback once you have an update from Victor.

Regards,
Martin

MP-Acumera · ‎11-01-2021

This seems to be an open issue with SF220-24 with Firmware 1.2.1.2. Any ideas on how to fix via the web interface? Or provide a quick CLI tutorial?

Erwan LE BIHAN · ‎11-08-2021

Hi.
AFAIK bug is closed, so there's no need anymore to use a trick: you use the GUI as intended (255.255.255.0 or /24 in your case) and it should works.

MP-Acumera · ‎11-08-2021

Probably should be reopened based on my experience.

SF220-24 with Firmware 1.2.1.2

I cannot added IP address and subnet combo with anything you provided. Is there a format I am not following?

Erwan LE BIHAN · ‎11-09-2021

Hi.

My bad, I did not had a look at your screenshot.

My bug was about "Access Profile".

You are trying to add an ACL, not an access profile.

But you're not alone: I alse have the same errors if use the latest FW version 1.2.1.2

You should open a new Bug Report at @tac , as it's a new bug, not present in previous release (tested with 1.2.0.4).

Workaround: you can also use cli to add your ACLs.

ip access-list extended "MyACL"

sequence 1 permit ip 192.168.4.0/255.255.255.0 192.168.5.0/255.255.255.0

MP-Acumera · ‎11-09-2021

Ok. I'll open a new bug. It seemed to me this was the same issue underlying the gui code. Thank you for the cli example. I had that figured out using some other tools. But, I have some non-Cisco-phytes who struggle with cli level stuff but love to use guis ¯\_(ツ)_/¯. Thanks again.