04-27-2014 08:05 PM - edited 03-07-2019 07:14 PM
hey guys, been doing this stuff a long time and had the same basic configuration for quite a while. just recently noticed something doesn't appear quite right with VTY and SNMP access-class, designed to prevent non-admin IP's from attempting switch login or SNMP access. I present the VTY example below, but I have seen the same behavior on SNMP RO portion of the configuration. I believe I have seen this on larger 2960S and 3750X switches as well:
On my lab WS-C2960-8TC-S, 15.0(2)SE5 Switch:
SWITCH CONFIG:
access-list 99 permit 192.168.255.64 0.0.0.63 log (should allow .64-.127, deny anything else in 192.168.255.0)
access-list 99 deny any log
!
ip http access-class 99 ! notice using ACL 99
ip http authentication local
ip http secure-server
!
line vty 5 15
access-class 99 in ! notice using ACL 99
exec-timeout 60 0
transport preferred none
transport input telnet ssh
transport output telnet ssh
!
WINDOWS 7 CONFIG - vty SSH client:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.255.192 ! noticed this is outside the IP range of the above ACL 99
Subnet Mask . . . . . . . . . . . : 255.255.255.0
When accessing embedded switch web server from windows PC:
000202: Apr 27 19:48:00.952 PST: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.255.192 168 packets
NOTE: see its _denied_! As expected
When accessing the vty switch via SSH, no log entries seen and i get into switch!
Any ideas? thx in advance!
Will
Solved! Go to Solution.
04-28-2014 06:55 AM
What is setup on line vty 0 4 ? That is where your first 4 sessions will go . Is acl 99 on vty 0 4 ????
04-28-2014 06:55 AM
What is setup on line vty 0 4 ? That is where your first 4 sessions will go . Is acl 99 on vty 0 4 ????
04-28-2014 07:22 PM
thx glen, i needed the second set of eyes! :) i missed that. i thought it was "vty 0 4" or "vty 0 15" and didn't even see that vty 0 4 were missing. anyway, i put that i and it works as expected, as I was coming on on vty 0 or 1. interestingly, i thought you couldn't delete those vty lines, and after putting them in, i tried the delete, but it failed:
BOO-S-1(config)#no line vty 5 15
% Can't delete last 16 VTY lines
!
BOO-S-1(config)#no line vty 0 4
% Can't delete last 16 VTY lines
not sure how they got deleted to begin with!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide