[f-nsp] Brocade VDX6730 inband management ACL
Youssef Bengelloun-Zahr
youssef at 720.fr
Fri Feb 26 09:41:50 EST 2016
I just realized I loged in to an MLXe without paying attention, friday huh
;-)
BR.
2016-02-26 15:37 GMT+01:00 Clement Cavadore <clement at cavadore.net>:
> Youssef,
>
> This is the way we do, for IronWare.
> I am looking for the equivalent on NOS :-)
>
> Thanks !
>
> Clément
>
> On Fri, 2016-02-26 at 15:34 +0100, Youssef Bengelloun-Zahr wrote:
> > Hello Clement,
> >
> >
> > How about this for telnet :
> >
> > telnet at er01-par01(config)#telnet access-group ?
> > ASCII string Standard Access List Name
> > <1-99> Standard IP access list
> > ipv6 IPv6 Access control list
> >
> >
> > an this for SSH :
> >
> > telnet at er01-par01(config)#ip ssh client ?
> > A.B.C.D IP address
> > ipv6 IPv6 address
> >
> > telnet at er01-par01(config)#ip ssh source-interface ?
> > ethernet Ethernet interface
> > loopback Loopback interface
> > pos POS interface
> > ve Virtual Ethernet interface
> >
> > telnet at er01-par01(config)#ip ssh st
> > strict-management-vrf Allow SSH connections only from
> > management-vrf
> >
> >
> > Best regards.
> >
> >
> >
> >
> >
> > 2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement at cavadore.net>:
> > Hello Youssef,
> >
> > Thanks for your reply, but I cannot do that (applying it on a
> > Ve --
> > management interfaces are used for something different), since
> > the VDX
> > is being used as a router.
> > Correct me if I'm wrong, but if I apply an ip access group,
> > all the
> > routed traffic will be impacted by the ACL.
> >
> > I am just interested in applying such an ACL to the traffic
> > towards the
> > switches itselves...
> >
> > Clément
> >
> >
> > On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr
> > wrote:
> > > Dear Clement,
> > >
> > >
> > > I personnally restricted access to the box via an ACL
> > applied directly
> > > under the interface I'm interested in.
> > >
> > >
> > > For instance, for OOB interface :
> > >
> > > interface Management 1/0
> > > no tcp burstrate
> > > ip icmp unreachable
> > > ip icmp echo-reply
> > > no ip address dhcp
> > > ip address 10.75.1.21/24
> > > ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in
> > <====
> > > ipv6 icmpv6 unreachable
> > > ipv6 icmpv6 echo-reply
> > > no ipv6 address autoconfig
> > > no ipv6 address dhcp
> > > !
> > >
> > >
> > > I believe it should be the same for the other interfaces.
> > >
> > >
> > > HTH.
> > >
> > >
> > >
> > > 2016-02-26 14:54 GMT+01:00 Clement Cavadore
> > <clement at cavadore.net>:
> > > Hi,
> > >
> > > I have a couple of VDX in a fabric which run BGP &
> > so on over
> > > public IP
> > > adresses. They are accessible using SSH on their
> > outband
> > > interface, and
> > > also in inband, and I cannot figure out where we
> > could
> > > restrict it to
> > > some access lists. => I am looking for the
> > equivalent of
> > > "telnet/ssh
> > > access-group XX" in NOS 4.1.x.
> > >
> > > Anyone know that ?
> > >
> > > Thanks !
> > > --
> > > Clément Cavadore
> > >
> > > _______________________________________________
> > > foundry-nsp mailing list
> > > foundry-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/foundry-nsp
> > >
> > >
> > >
> > > --
> > > Youssef BENGELLOUN-ZAHR
> > >
> >
> >
> >
> >
> >
> >
> > --
> > Youssef BENGELLOUN-ZAHR
> >
>
>
>
--
Youssef BENGELLOUN-ZAHR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20160226/aca2d704/attachment-0001.html>
More information about the foundry-nsp
mailing list