[f-nsp] Question about IPv6 SSH Access Group on Jetcore

Philipp Geschke foundry-nsp at pgmail.net
Thu Nov 25 08:55:50 EST 2010


Hi,

I seem to be unable to get SSH Access via IPv6 restricted on a Jetcore
with Provider Firmware 08.0.01v.

After reading the manual, my understanding is that the following should
restrict ssh access only to subnet 2001:db8:1:2::/64:

ipv6 access-list ipv6-mgmt-in
 permit ipv6 2001:db8:1:2::/64 any
ssh access-group ipv6 ipv6-mgmt-in

As all IPv6 acl's have an implicit deny ipv6 any any rule as soon as any
permit rules are configured this should block everything but the subnet
2001:db8:1:2::/64 from having access using SSH.
But when I test from any other IPv6 address I can log on to SSH without
any trouble.

I tried to use a manual deny ipv6 any any rule in the acl without any
difference.


Does anybody successfully restrict SSH Access on IPv6 and can give me a
hint here?


Thanks,
Philipp






More information about the foundry-nsp mailing list