05-06-2013 03:56 AM - edited 03-07-2019 01:12 PM
Hi,
i have some problems using ACL and copying a backup from the switch to an scp server.
Firmware version is 15.0(2)SE2, but i have seen the same behaviour on 12.0
This is the configuration of access lists/vty
Standard IP access list ACL_VTY_IN
5 permit 192.168.0.123 (4 matches)
40 deny any log
Standard IP access list ACL_VTY_OUT
10 permit 192.168.0.123
20 deny any log
line vty 0 4
access-class ACL_VTY_IN in
access-class ACL_VTY_OUT out
exec-timeout 15 0
logging synchronous
login authentication xxxxxxxx
length 0
transport input ssh
transport output ssh
Now, when logging into the switch with ssh and trying to backup the configuration (copy running-config scp://user:pw@192.168.0.123/somefile), it seems that the INBOUND ACL is used, as its match counter is increasing.
How can this behaviour be explained? I assumed, the OUT ACL would be used for outgoing connections?
Regards,
Johannes
05-09-2013 09:07 AM
I think it gets complex and gets subtle. It seems that we have quite different behaviors inbound and outbound. It becomes pretty clear that the access-class in ACL does need to permit the traffic since Johannes tells us that scp does not work if he removes that line from the ACL. And it does seem logical that if the router sees incoming traffic on TCP port 22 that it would evaluate that traffic with the access-class ACL.
The behavior outbound is different. Johannes tells us that scp works but that the line in the ACL outbound does not increment. That indicates that the router is not using the ACL to evaluate that traffic. Then the question becomes whether it is not incrementing because the router does not check traffic that originates from the router or is not incrementing because the router recognizes that it is not traffic originating from vty and therefore does not need to be checked.
It would not be difficult to set up a test of this. Perhaps Johannes can do this or perhaps you can do this. Use a router or switch. Do SSH to some other host (just to demonstrate that SSH does work). Then configure a standard ACL and do not have a permit for that host. Then configure under the vty access-class
HTH
Rick