[f-nsp] Brocade VDX6730 inband management ACL

Clement Cavadore clement at cavadore.net
Fri Feb 26 09:37:02 EST 2016 

Youssef,

This is the way we do, for IronWare. 
I am looking for the equivalent on NOS :-)

Thanks !

Clément

On Fri, 2016-02-26 at 15:34 +0100, Youssef Bengelloun-Zahr wrote:
> Hello Clement,
> 
> 
> How about this for telnet :
> 
> telnet at er01-par01(config)#telnet access-group ?
>   ASCII string   Standard Access List Name
>   <1-99>       Standard IP access list 
>   ipv6           IPv6 Access control list
> 
> 
> an this for SSH :
> 
> telnet at er01-par01(config)#ip ssh client ?
>   A.B.C.D   IP address
>   ipv6      IPv6 address
> 
> telnet at er01-par01(config)#ip ssh source-interface ?
>   ethernet   Ethernet interface
>   loopback   Loopback interface
>   pos        POS interface
>   ve         Virtual Ethernet interface
> 
> telnet at er01-par01(config)#ip ssh st               
>   strict-management-vrf        Allow SSH connections only from
> management-vrf
> 
> 
> Best regards.
> 
> 
> 
> 
> 
> 2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement at cavadore.net>:
>         Hello Youssef,
>         
>         Thanks for your reply, but I cannot do that (applying it on a
>         Ve --
>         management interfaces are used for something different), since
>         the VDX
>         is being used as a router.
>         Correct me if I'm wrong, but if I apply an ip access group,
>         all the
>         routed traffic will be impacted by the ACL.
>         
>         I am just interested in applying such an ACL to the traffic
>         towards the
>         switches itselves...
>         
>         Clément
>         
>         
>         On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr
>         wrote:
>         > Dear Clement,
>         >
>         >
>         > I personnally restricted access to the box via an ACL
>         applied directly
>         > under the interface I'm interested in.
>         >
>         >
>         > For instance, for OOB interface :
>         >
>         > interface Management 1/0
>         >  no tcp burstrate
>         >  ip icmp unreachable
>         >  ip icmp echo-reply
>         >  no ip address dhcp
>         >  ip address 10.75.1.21/24
>         >  ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in
>         <====
>         >  ipv6 icmpv6 unreachable
>         >  ipv6 icmpv6 echo-reply
>         >  no ipv6 address autoconfig
>         >  no ipv6 address dhcp
>         > !
>         >
>         >
>         > I believe it should be the same for the other interfaces.
>         >
>         >
>         > HTH.
>         >
>         >
>         >
>         > 2016-02-26 14:54 GMT+01:00 Clement Cavadore
>         <clement at cavadore.net>:
>         >         Hi,
>         >
>         >         I have a couple of VDX in a fabric which run BGP &
>         so on over
>         >         public IP
>         >         adresses. They are accessible using SSH on their
>         outband
>         >         interface, and
>         >         also in inband, and I cannot figure out where we
>         could
>         >         restrict it to
>         >         some access lists. => I am looking for the
>         equivalent of
>         >         "telnet/ssh
>         >         access-group XX" in NOS 4.1.x.
>         >
>         >         Anyone know that ?
>         >
>         >         Thanks !
>         >         --
>         >         Clément Cavadore
>         >
>         >         _______________________________________________
>         >         foundry-nsp mailing list
>         >         foundry-nsp at puck.nether.net
>         >         http://puck.nether.net/mailman/listinfo/foundry-nsp
>         >
>         >
>         >
>         > --
>         > Youssef BENGELLOUN-ZAHR
>         >
>         
>         
>         
> 
> 
> 
> -- 
> Youssef BENGELLOUN-ZAHR
>

More information about the foundry-nsp mailing list