Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
5
Helpful
19
Replies

Catalyst 2960S ACL issue

lorenzobexer
Beginner
Beginner

‎05-06-2013 03:56 AM - edited ‎03-07-2019 01:12 PM

Hi,

i have some problems using ACL and copying a backup from the switch to an scp server.

Firmware version is 15.0(2)SE2, but i have seen the same behaviour on 12.0

This is the configuration of access lists/vty

Standard IP access list ACL_VTY_IN

    5 permit 192.168.0.123 (4 matches)

    40 deny   any log

Standard IP access list ACL_VTY_OUT

    10 permit 192.168.0.123

    20 deny   any log

line vty 0 4

access-class ACL_VTY_IN in

access-class ACL_VTY_OUT out

exec-timeout 15 0

logging synchronous

login authentication xxxxxxxx

length 0

transport input ssh

transport output ssh

Now, when logging into the switch with ssh and trying to backup the configuration (copy running-config scp://user:pw@192.168.0.123/somefile), it seems that the INBOUND ACL is used, as its match counter is increasing.

How can this behaviour be explained? I assumed, the OUT ACL would be used for outgoing connections?

Regards,

Johannes

Labels:
0 Helpful
19 Replies 19

lorenzobexer
Beginner
Beginner

‎05-06-2013 04:01 AM

Looks like i have posted into the wrong forum, this should go to LAN, Switching and Routing.

0 Helpful

lorenzobexer
Beginner
Beginner
In response to lorenzobexer

‎05-07-2013 05:28 AM

*push*

0 Helpful

Bilal Nawaz
Engager
Engager
In response to lorenzobexer

‎05-07-2013 05:47 AM

Hello Lorenz, you do not need the outbound direction ACL, not sure why there would be a need to apply an outbound ACL here?

The inbound ACL is perfectly fine.

This says that host 192.168.0.123 is permitted to use vty lines and ssh to the switch. Nothing else will be allowed.

Can you confirm that this is what you wanted to achieve?

If so you can take out the config that is not required.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

acampbell
Advocate
Advocate
In response to Bilal Nawaz

‎05-07-2013 06:23 AM

Lorenz,

Look at the access lists

192.168.0.123 is the SOURCE ADDRESS

Therefore only the inbound will match the source of 192.168.0.123

as this does not reside on the switch.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
0 Helpful

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to Bilal Nawaz

‎05-07-2013 07:21 AM

We most often think of access-class applied inbound because we most often think about controlling traffic coming into the device. But it is absolutely ok and sometimes appropriate to apply access-class outbound. The reason to do this is to control someone hopping through the network. Someone might access this device and from this device access some other device (where their original source address might not be permitted on the second device).

Johannes

I am not clear about one aspect of your post. You say that the inbound ACL match counter is increasing. But I am not clear whether it increases by 1 (logical since you did an SSH to the switch) or whether you are saying that it continues to increase as the copy is done. Perhaps you can clarify.

Also Alex makes a very good point that if the inbound ACL is working then 192.168.0.123 is outside the switch somewhere. And that means that the outbound ACL would never match since 192.168.0.123 would never be the source address of a session outbound from the switch.

Also note that when we talk about access-class out controlling outbound connections we are talking about connections like telnet or ssh and not about connections like scp or ftp. So your current access-class out would prevent any attempt to initiate a telnet or ssh from this switch to anything. I am not sure that this was really the intent. So I suggest that either you remove the access-class out or that you configure the ACL to match addresses on the switch.

HTH

Rick

HTH

Rick
0 Helpful

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to Richard Burts

‎05-08-2013 08:28 AM

Having thought about this a bit more I want to give a correction to this part of the thread. Alex was mistaken in his response about the source address when access-class is applied outbound and I was mistaken in agreeing with him.

access-class uses a standard access list. And we traditionally think about standard access list as using the source address. However when access-class is applied outbound then the address in the standard access list is actually the destination address. I have tested it and it really does work that way.

So Johannes configuration of access-class out using ACL_VTY_OUT is correct and should work.

HTH

Rick

HTH

Rick
0 Helpful

lorenzobexer
Beginner
Beginner

‎05-08-2013 04:59 AM

Thanks for your answers, but i think you misunderstood what i'm trying to do.

I am connecting to the switch via SSH from my workstation.

Then on the switch, i issue the command "copy running-config scp://user:pw@192.168.0.123/somefile"

This means, the switch connects TO the server 192.168.0.123.

Source: Switch IP Address

Destination: 192.168.0.123

To my understanding, this would be considered an outgoing connection, but the connection is clearly logged in the incoming access list. (4 matches)

0 Helpful

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to lorenzobexer

‎05-08-2013 06:10 AM

Your understanding is not correct. access-class out and its associate ACL are for outbound connections that use the vty. While you are correct that scp establishes an outbound connection that connection does not use the vty and therefore will not show up in either of the ACLs. If the inbound ACL is incrementing it is because something is initiating inbound connection to the vty. If the incoming ACL is showing 4 matches, how many times have you done SSH to the switch?

HTH

Rick

HTH

Rick

mfurnival
Enthusiast
Enthusiast

‎05-08-2013 05:59 AM

Lorenz,

I am assuming that you are sat on the server 192.168.0.123 when you initiate the SSH session - you must be otherwise it would not work. As Richard says above the "access-class" command is specifically related to controlling telnet / SSH access to VTY lines on a router. What you are talking about is controlling traffic originating from the router and exiting via an interface where 192.168.0.123 resides. You should be applying your ACL on this interface using the "access-group" command, not the VTY lines.

0 Helpful

mfurnival
Enthusiast
Enthusiast
In response to mfurnival

‎05-08-2013 06:11 AM

Actually I retract my last post - an ACL will not control traffic originating FROM a device, only traffic transiting a device OR traffic hitting the router control plane.

0 Helpful

acampbell
Advocate
Advocate
In response to mfurnival

‎05-08-2013 06:47 AM

Hi,

Totally agree with Rick. (+5)

Inbound vty match for SSH session.

Outbound you using the switches Ip capability to reach the SCP server
not a vty session therefore no outbound access list matches.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
0 Helpful

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to acampbell