Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
2
Replies

VTY SNMP access-class statement not working (denying traffic) as expected

Go to solution
will
Level 3
Level 3

‎04-27-2014 08:05 PM - edited ‎03-07-2019 07:14 PM

hey guys, been doing this stuff a long time and had the same basic configuration for quite a while. just recently noticed something doesn't appear quite right with VTY and SNMP access-class, designed to prevent non-admin IP's from attempting switch login or SNMP access. I present the VTY example below, but I have seen the same behavior on SNMP RO portion of the configuration. I believe I have seen this on larger 2960S and 3750X switches as well:

On my lab WS-C2960-8TC-S, 15.0(2)SE5 Switch:

SWITCH CONFIG:
access-list 99 permit 192.168.255.64 0.0.0.63 log     (should allow .64-.127, deny anything else in 192.168.255.0)
access-list 99 deny   any log

!

ip http access-class 99    ! notice using ACL 99
ip http authentication local
ip http secure-server
!
line vty 5 15
 access-class 99 in       ! notice using ACL 99
 exec-timeout 60 0
 transport preferred none
 transport input telnet ssh
 transport output telnet ssh
!
WINDOWS 7 CONFIG - vty SSH client:
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.255.192     ! noticed this is outside the IP range of the above ACL 99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

When accessing embedded switch web server from windows PC:
000202: Apr 27 19:48:00.952 PST: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.255.192 168 packets

NOTE: see its _denied_! As expected


When accessing the vty switch via SSH, no log entries seen and i get into switch!

Any ideas? thx in advance!

Will

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎04-28-2014 06:55 AM

   What is setup on line vty 0 4  ?      That is where your first 4 sessions will go .  Is acl 99 on vty 0 4  ????

View solution in original post

0 Helpful
2 Replies 2

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎04-28-2014 06:55 AM

   What is setup on line vty 0 4  ?      That is where your first 4 sessions will go .  Is acl 99 on vty 0 4  ????

0 Helpful

Go to solution
will
Level 3
Level 3

‎04-28-2014 07:22 PM

thx glen, i needed the second set of eyes! :) i missed that. i thought it was "vty 0 4" or "vty 0 15" and didn't even see that vty 0 4 were missing. anyway, i put that i and it works as expected, as I was coming on on vty 0 or 1. interestingly, i thought you couldn't delete those vty lines, and after putting them in, i tried the delete, but it failed:

BOO-S-1(config)#no line vty 5 15
% Can't delete last 16 VTY lines
!
BOO-S-1(config)#no line vty 0 4
% Can't delete last 16 VTY lines

not sure how they got deleted to begin with!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card