cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1828
Views
5
Helpful
19
Replies

Catalyst 2960S ACL issue

lorenzobexer
Level 1
Level 1

Hi,

i have some problems using ACL and copying a backup from the switch to an scp server.

Firmware version is 15.0(2)SE2, but i have seen the same behaviour on 12.0

This is the configuration of access lists/vty

Standard IP access list ACL_VTY_IN

    5 permit 192.168.0.123 (4 matches)

    40 deny   any log

Standard IP access list ACL_VTY_OUT

    10 permit 192.168.0.123

    20 deny   any log

line vty 0 4

access-class ACL_VTY_IN in

access-class ACL_VTY_OUT out

exec-timeout 15 0

logging synchronous

login authentication xxxxxxxx

length 0

transport input ssh

transport output ssh

Now, when logging into the switch with ssh and trying to backup the configuration (copy running-config scp://user:pw@192.168.0.123/somefile), it seems that the INBOUND ACL is used, as its match counter is increasing.

How can this behaviour be explained? I assumed, the OUT ACL would be used for outgoing connections?

Regards,

Johannes

19 Replies 19

lorenzobexer
Level 1
Level 1

Looks like i have posted into the wrong forum, this should go to LAN, Switching and Routing.

*push*

Hello Lorenz, you do not need the outbound direction ACL, not sure why there would be a need to apply an outbound ACL here?

The inbound ACL is perfectly fine.

This says that host 192.168.0.123 is permitted to use vty lines and ssh to the switch. Nothing else will be allowed.

Can you confirm that this is what you wanted to achieve?

If so you can take out the config that is not required.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Lorenz,

Look at the access lists

192.168.0.123 is the SOURCE ADDRESS

Therefore only the inbound will match the source of 192.168.0.123

as this does not reside on the switch.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

We most often think of access-class applied inbound because we most often think about controlling traffic coming into the device. But it is absolutely ok and sometimes appropriate to apply access-class outbound. The reason to do this is to control someone hopping through the network. Someone might access this device and from this device access some other device (where their original source address might not be permitted on the second device).

Johannes

I am not clear about one aspect of your post. You say that the inbound ACL match counter is increasing. But I am not clear whether it increases by 1 (logical since you did an SSH to the switch) or whether you are saying that it continues to increase as the copy is done. Perhaps you can clarify.

Also Alex makes a very good point that if the inbound ACL is working then 192.168.0.123 is outside the switch somewhere. And that means that the outbound ACL would never match since 192.168.0.123 would never be the source address of a session outbound from the switch.

Also note that when we talk about access-class out controlling outbound connections we are talking about connections like telnet or ssh and not about connections like scp or ftp. So your current access-class out would prevent any attempt to initiate a telnet or ssh from this switch to anything. I am not sure that this was really the intent. So I suggest that either you remove the access-class out or that you configure the ACL to match addresses on the switch.

HTH

Rick

HTH

Rick

Having thought about this a bit more I want to give a correction to this part of the thread. Alex was mistaken in his response about the source address when access-class is applied outbound and I was mistaken in agreeing with him.

access-class uses a standard access list. And we traditionally think about standard access list as using the source address. However when access-class is applied outbound then the address in the standard access list is actually the destination address. I have tested it and it really does work that way.

So Johannes configuration of access-class out using ACL_VTY_OUT is correct and should work.

HTH

Rick

HTH

Rick

lorenzobexer
Level 1
Level 1

Thanks for your answers, but i think you misunderstood what i'm trying to do.

I am connecting to the switch via SSH from my workstation.

Then on the switch, i issue the command "copy running-config scp://user:pw@192.168.0.123/somefile"

This means, the switch connects TO the server 192.168.0.123.

Source: Switch IP Address

Destination: 192.168.0.123

To my understanding, this would be considered an outgoing connection, but the connection is clearly logged in the incoming access list. (4 matches)

Your understanding is not correct. access-class out and its associate ACL are for outbound connections that use the vty. While you are correct that scp establishes an outbound connection that connection does not use the vty and therefore will not show up in either of the ACLs. If the inbound ACL is incrementing it is because something is initiating inbound connection to the vty. If the incoming ACL is showing 4 matches, how many times have you done SSH to the switch?

HTH

Rick

HTH

Rick

mfurnival
Level 4
Level 4

Lorenz,

I am assuming that you are sat on the server 192.168.0.123 when you initiate the SSH session - you must be otherwise it would not work. As Richard says above the "access-class" command is specifically related to controlling telnet / SSH access to VTY lines on a router. What you are talking about is controlling traffic originating from the router and exiting via an interface where 192.168.0.123 resides. You should be applying your ACL on this interface using the "access-group" command, not the VTY lines.

Actually I retract my last post - an ACL will not control traffic originating FROM a device, only traffic transiting a device OR traffic hitting the router control plane.

Hi,

Totally agree with Rick. (+5)

Inbound vty match for SSH session.

Outbound you using the switches Ip capability to reach the SCP server
not a vty session therefore no outbound access list matches.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

I began thinking about this by thinking that scp is doing a file transfer and would operate much like ftp or tftp do. And I believe that we all would agree that neither ftp or tftp need to be considered when configuring access-class. And I still believe that it is the right way to think about scp and access-class. But as I find out more about scp the issue becomes more complex and subtle.

It has been a while since I really looked at scp so I looked for a good explanation and found this which some of us might want to read if we want to understand scp better.

https://blogs.oracle.com/janp/entry/how_the_scp_protocol_works

One of the things that is clearly explained is that when you initiate scp that your device will open an SSH connection to the other device and that the data transfer is over this SSH session. So now the logic is not quite so clear. Johannes switch is opening an SSH session to the server. So does that SSH need to be permited by access-class or not? I believe that there is a test that Johannes can do that might help to clarify what is going on. The test would be to access the switch (perhaps by SSH to the switch or perhaps by some other connection to the switch) and then to initiate an SSH connection to the server. Assuming that the server will accept the SSH sessoin I believe that Johannes will see the match counter of the outbound access list increment. Then do the scp again and the match counter does not increment.

What is going on is that the native SSH initiated from the command line does involve the vty and therefore the access-class out does control it. But the scp while it initiates SSH does not involve the vty and therefore access-class is not a factore. (another way of thinking about the question may be to ask when does an SSH session from the switch not involve the vty ports and in this way I think I understand the issue more clearly)

HTH

Rick

HTH

Rick

Your comment that an ACL does not control traffic originating from the router is accurate when talking about ACL used with ip access-group on an interface. It is not correct when talking about ACL used with access-class out. When used with access-class out an ACL does control traffic originated by the router itself. I have tested this and know that this is how it works.

HTH

Rick

HTH

Rick