[f-nsp] Brocade VDX6730 inband management ACL

Youssef Bengelloun-Zahr youssef at 720.fr
Fri Feb 26 09:34:48 EST 2016 

Hello Clement,

How about this for telnet :

telnet at er01-par01(config)#telnet access-group ?
  ASCII string   Standard Access List Name
  <1-99>       Standard IP access list
  ipv6           IPv6 Access control list

an this for SSH :

telnet at er01-par01(config)#ip ssh client ?
  A.B.C.D   IP address
  ipv6      IPv6 address

telnet at er01-par01(config)#ip ssh source-interface ?
  ethernet   Ethernet interface
  loopback   Loopback interface
  pos        POS interface
  ve         Virtual Ethernet interface

telnet at er01-par01(config)#ip ssh st
  strict-management-vrf        Allow SSH connections only from
management-vrf

Best regards.




2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement at cavadore.net>:

> Hello Youssef,
>
> Thanks for your reply, but I cannot do that (applying it on a Ve --
> management interfaces are used for something different), since the VDX
> is being used as a router.
> Correct me if I'm wrong, but if I apply an ip access group, all the
> routed traffic will be impacted by the ACL.
>
> I am just interested in applying such an ACL to the traffic towards the
> switches itselves...
>
> Clément
>
>
> On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr wrote:
> > Dear Clement,
> >
> >
> > I personnally restricted access to the box via an ACL applied directly
> > under the interface I'm interested in.
> >
> >
> > For instance, for OOB interface :
> >
> > interface Management 1/0
> >  no tcp burstrate
> >  ip icmp unreachable
> >  ip icmp echo-reply
> >  no ip address dhcp
> >  ip address 10.75.1.21/24
> >  ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in    <====
> >  ipv6 icmpv6 unreachable
> >  ipv6 icmpv6 echo-reply
> >  no ipv6 address autoconfig
> >  no ipv6 address dhcp
> > !
> >
> >
> > I believe it should be the same for the other interfaces.
> >
> >
> > HTH.
> >
> >
> >
> > 2016-02-26 14:54 GMT+01:00 Clement Cavadore <clement at cavadore.net>:
> >         Hi,
> >
> >         I have a couple of VDX in a fabric which run BGP & so on over
> >         public IP
> >         adresses. They are accessible using SSH on their outband
> >         interface, and
> >         also in inband, and I cannot figure out where we could
> >         restrict it to
> >         some access lists. => I am looking for the equivalent of
> >         "telnet/ssh
> >         access-group XX" in NOS 4.1.x.
> >
> >         Anyone know that ?
> >
> >         Thanks !
> >         --
> >         Clément Cavadore
> >
> >         _______________________________________________
> >         foundry-nsp mailing list
> >         foundry-nsp at puck.nether.net
> >         http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
> >
> >
> > --
> > Youssef BENGELLOUN-ZAHR
> >
>
>
>


-- 
Youssef BENGELLOUN-ZAHR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20160226/dd6aba93/attachment.html>

More information about the foundry-nsp mailing list