Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
0
Replies

Wildcard Masking on Management Access-List

Dean Romanelli
Level 4
Level 4

‎05-26-2016 05:46 AM

Hi All,

I have small business switches at roughly 140 sites.  Each of these sites are 192.168.XX.0/24. All switches are in the .230-.239 range. All access points are in the .100-.120 range. Firewalls are .1-.2. Basically I want to block management access for any IP address that does not end in .1, .2, .100-.120 & .230-.239. However, I'd like to do this in a wildcard fashion so that I can have 1 batch ACL that will work everywhere instead of needing to make a new ACL for each subnet.

I know in IOS you can do this by playing with the mask bits. Example: 

permit tcp 192.168.0.0 0.0.255.3 any eq 22 log
permit tcp 192.168.0.100 0.0.255.21 any eq 22 log
permit tcp 192.168.0.230 0.0.255.10 any eq 22 log
deny ip any any log

Those subnet inversions would accomplish exactly what I need, and since the 3rd octet is wildcarded to 255 which specifies that I don't care what the 3rd octet is, it would work everywhere, and would permit only 4th octet addresses that are .1-.2, .100-.120 & .230-.239.

Basically I am looking for a way to do this in the Small Business Switch software, but as far as I can tell, it does not allow this in the same fashion:

SW162StSoupletts300A#config t
SW162StSoupletts300A(config)#management access-list Remote-Access
SW162StSoupletts300A(config-macl)#permit ip source 192.168.0.0 mask 0.0.0.255 service ssh
% bad parameter value

Can anyone confirm if this is just a limitation or if there is another way to accomplish this?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents