<div dir="ltr"><div><div><div>Hello Clement,<br><br></div>How about this for telnet :<br><br>telnet@er01-par01(config)#telnet access-group ?<br> ASCII string Standard Access List Name<br> <1-99> Standard IP access list <br> ipv6 IPv6 Access control list<br><br></div>an this for SSH :<br><br>telnet@er01-par01(config)#ip ssh client ?<br> A.B.C.D IP address<br> ipv6 IPv6 address<br><br>telnet@er01-par01(config)#ip ssh source-interface ?<br> ethernet Ethernet interface<br> loopback Loopback interface<br> pos POS interface<br> ve Virtual Ethernet interface<br><br>telnet@er01-par01(config)#ip ssh st <br> strict-management-vrf Allow SSH connections only from management-vrf<br><br></div>Best regards.<br><br><br><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-26 15:21 GMT+01:00 Clement Cavadore <span dir="ltr"><<a href="mailto:clement@cavadore.net" target="_blank">clement@cavadore.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Youssef,<br>
<br>
Thanks for your reply, but I cannot do that (applying it on a Ve --<br>
management interfaces are used for something different), since the VDX<br>
is being used as a router.<br>
Correct me if I'm wrong, but if I apply an ip access group, all the<br>
routed traffic will be impacted by the ACL.<br>
<br>
I am just interested in applying such an ACL to the traffic towards the<br>
switches itselves...<br>
<br>
Clément<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr wrote:<br>
> Dear Clement,<br>
><br>
><br>
> I personnally restricted access to the box via an ACL applied directly<br>
> under the interface I'm interested in.<br>
><br>
><br>
> For instance, for OOB interface :<br>
><br>
> interface Management 1/0<br>
> no tcp burstrate<br>
> ip icmp unreachable<br>
> ip icmp echo-reply<br>
> no ip address dhcp<br>
> ip address <a href="http://10.75.1.21/24" rel="noreferrer" target="_blank">10.75.1.21/24</a><br>
> ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in <====<br>
> ipv6 icmpv6 unreachable<br>
> ipv6 icmpv6 echo-reply<br>
> no ipv6 address autoconfig<br>
> no ipv6 address dhcp<br>
> !<br>
><br>
><br>
> I believe it should be the same for the other interfaces.<br>
><br>
><br>
> HTH.<br>
><br>
><br>
><br>
> 2016-02-26 14:54 GMT+01:00 Clement Cavadore <<a href="mailto:clement@cavadore.net">clement@cavadore.net</a>>:<br>
> Hi,<br>
><br>
> I have a couple of VDX in a fabric which run BGP & so on over<br>
> public IP<br>
> adresses. They are accessible using SSH on their outband<br>
> interface, and<br>
> also in inband, and I cannot figure out where we could<br>
> restrict it to<br>
> some access lists. => I am looking for the equivalent of<br>
> "telnet/ssh<br>
> access-group XX" in NOS 4.1.x.<br>
><br>
> Anyone know that ?<br>
><br>
> Thanks !<br>
> --<br>
> Clément Cavadore<br>
><br>
> _______________________________________________<br>
> foundry-nsp mailing list<br>
> <a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
> <a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" rel="noreferrer" target="_blank">http://puck.nether.net/mailman/listinfo/foundry-nsp</a><br>
><br>
><br>
><br>
> --<br>
> Youssef BENGELLOUN-ZAHR<br>
><br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Youssef BENGELLOUN-ZAHR<br></div>
</div>