cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
2
Replies

VTY SNMP access-class statement not working (denying traffic) as expected

will
Level 3
Level 3

hey guys, been doing this stuff a long time and had the same basic configuration for quite a while. just recently noticed something doesn't appear quite right with VTY and SNMP access-class, designed to prevent non-admin IP's from attempting switch login or SNMP access. I present the VTY example below, but I have seen the same behavior on SNMP RO portion of the configuration. I believe I have seen this on larger 2960S and 3750X switches as well:

On my lab WS-C2960-8TC-S, 15.0(2)SE5 Switch:

SWITCH CONFIG:
access-list 99 permit 192.168.255.64 0.0.0.63 log     (should allow .64-.127, deny anything else in 192.168.255.0)
access-list 99 deny   any log

!

ip http access-class 99    ! notice using ACL 99
ip http authentication local
ip http secure-server
!
line vty 5 15
 access-class 99 in       ! notice using ACL 99
 exec-timeout 60 0
 transport preferred none
 transport input telnet ssh
 transport output telnet ssh
!
WINDOWS 7 CONFIG - vty SSH client:
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.255.192     ! noticed this is outside the IP range of the above ACL 99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

When accessing embedded switch web server from windows PC:
000202: Apr 27 19:48:00.952 PST: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.255.192 168 packets

NOTE: see its _denied_! As expected


When accessing the vty switch via SSH, no log entries seen and i get into switch!

Any ideas? thx in advance!

Will

 

1 Accepted Solution

Accepted Solutions

glen.grant
VIP Alumni
VIP Alumni

   What is setup on line vty 0 4  ?      That is where your first 4 sessions will go .  Is acl 99 on vty 0 4  ????

View solution in original post

2 Replies 2

glen.grant
VIP Alumni
VIP Alumni

   What is setup on line vty 0 4  ?      That is where your first 4 sessions will go .  Is acl 99 on vty 0 4  ????

will
Level 3
Level 3

thx glen, i needed the second set of eyes! :) i missed that. i thought it was "vty 0 4" or "vty 0 15" and didn't even see that vty 0 4 were missing. anyway, i put that i and it works as expected, as I was coming on on vty 0 or 1. interestingly, i thought you couldn't delete those vty lines, and after putting them in, i tried the delete, but it failed:

BOO-S-1(config)#no line vty 5 15
% Can't delete last 16 VTY lines
!
BOO-S-1(config)#no line vty 0 4
% Can't delete last 16 VTY lines

not sure how they got deleted to begin with!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco