05-06-2013 03:56 AM - edited 03-07-2019 01:12 PM
i have some problems using ACL and copying a backup from the switch to an scp server.
Firmware version is 15.0(2)SE2, but i have seen the same behaviour on 12.0
This is the configuration of access lists/vty
Standard IP access list ACL_VTY_IN
5 permit 192.168.0.123 (4 matches)
40 deny any log
Standard IP access list ACL_VTY_OUT
10 permit 192.168.0.123
20 deny any log
line vty 0 4
access-class ACL_VTY_IN in
access-class ACL_VTY_OUT out
exec-timeout 15 0
login authentication xxxxxxxx
transport input ssh
transport output ssh
Now, when logging into the switch with ssh and trying to backup the configuration (copy running-config scp://user:email@example.com/somefile), it seems that the INBOUND ACL is used, as its match counter is increasing.
How can this behaviour be explained? I assumed, the OUT ACL would be used for outgoing connections?
05-06-2013 04:01 AM
Looks like i have posted into the wrong forum, this should go to LAN, Switching and Routing.
05-07-2013 05:28 AM
05-07-2013 05:47 AM
Hello Lorenz, you do not need the outbound direction ACL, not sure why there would be a need to apply an outbound ACL here?
The inbound ACL is perfectly fine.
This says that host 192.168.0.123 is permitted to use vty lines and ssh to the switch. Nothing else will be allowed.
Can you confirm that this is what you wanted to achieve?
If so you can take out the config that is not required.
Hope this helps
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
05-07-2013 06:23 AM
Look at the access lists
192.168.0.123 is the SOURCE ADDRESS
Therefore only the inbound will match the source of 192.168.0.123
as this does not reside on the switch.
Please rate useful posts.
05-07-2013 07:21 AM
We most often think of access-class applied inbound because we most often think about controlling traffic coming into the device. But it is absolutely ok and sometimes appropriate to apply access-class outbound. The reason to do this is to control someone hopping through the network. Someone might access this device and from this device access some other device (where their original source address might not be permitted on the second device).
I am not clear about one aspect of your post. You say that the inbound ACL match counter is increasing. But I am not clear whether it increases by 1 (logical since you did an SSH to the switch) or whether you are saying that it continues to increase as the copy is done. Perhaps you can clarify.
Also Alex makes a very good point that if the inbound ACL is working then 192.168.0.123 is outside the switch somewhere. And that means that the outbound ACL would never match since 192.168.0.123 would never be the source address of a session outbound from the switch.
Also note that when we talk about access-class out controlling outbound connections we are talking about connections like telnet or ssh and not about connections like scp or ftp. So your current access-class out would prevent any attempt to initiate a telnet or ssh from this switch to anything. I am not sure that this was really the intent. So I suggest that either you remove the access-class out or that you configure the ACL to match addresses on the switch.
05-08-2013 08:28 AM
Having thought about this a bit more I want to give a correction to this part of the thread. Alex was mistaken in his response about the source address when access-class is applied outbound and I was mistaken in agreeing with him.
access-class uses a standard access list. And we traditionally think about standard access list as using the source address. However when access-class is applied outbound then the address in the standard access list is actually the destination address. I have tested it and it really does work that way.
So Johannes configuration of access-class out using ACL_VTY_OUT is correct and should work.
05-08-2013 04:59 AM
Thanks for your answers, but i think you misunderstood what i'm trying to do.
I am connecting to the switch via SSH from my workstation.
Then on the switch, i issue the command "copy running-config scp://user:firstname.lastname@example.org/somefile"
This means, the switch connects TO the server 192.168.0.123.
Source: Switch IP Address
To my understanding, this would be considered an outgoing connection, but the connection is clearly logged in the incoming access list. (4 matches)
05-08-2013 06:10 AM
Your understanding is not correct. access-class out and its associate ACL are for outbound connections that use the vty. While you are correct that scp establishes an outbound connection that connection does not use the vty and therefore will not show up in either of the ACLs. If the inbound ACL is incrementing it is because something is initiating inbound connection to the vty. If the incoming ACL is showing 4 matches, how many times have you done SSH to the switch?
05-08-2013 05:59 AM
I am assuming that you are sat on the server 192.168.0.123 when you initiate the SSH session - you must be otherwise it would not work. As Richard says above the "access-class" command is specifically related to controlling telnet / SSH access to VTY lines on a router. What you are talking about is controlling traffic originating from the router and exiting via an interface where 192.168.0.123 resides. You should be applying your ACL on this interface using the "access-group" command, not the VTY lines.
05-08-2013 06:11 AM
Actually I retract my last post - an ACL will not control traffic originating FROM a device, only traffic transiting a device OR traffic hitting the router control plane.
05-08-2013 06:47 AM
Totally agree with Rick. (+5)
Inbound vty match for SSH session.
Outbound you using the switches Ip capability to reach the SCP server
not a vty session therefore no outbound access list matches.
Please rate useful posts.