VTY SNMP access-class statement not working (denying traffic) as expected
hey guys, been doing this stuff a long time and had the same basic configuration for quite a while. just recently noticed something doesn't appear quite right with VTY and SNMP access-class, designed to prevent non-admin IP's from attempting switch login or SNMP access. I present the VTY example below, but I have seen the same behavior on SNMP RO portion of the configuration. I believe I have seen this on larger 2960S and 3750X switches as well:
ip http access-class 99 ! notice using ACL 99 ip http authentication local ip http secure-server ! line vty 5 15 access-class 99 in ! notice using ACL 99 exec-timeout 60 0 transport preferred none transport input telnet ssh transport output telnet ssh ! WINDOWS 7 CONFIG - vty SSH client: Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.255.192 ! noticed this is outside the IP range of the above ACL 99 Subnet Mask . . . . . . . . . . . : 255.255.255.0
When accessing embedded switch web server from windows PC: 000202: Apr 27 19:48:00.952 PST: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.255.192 168 packets
NOTE: see its _denied_! As expected
When accessing the vty switch via SSH, no log entries seen and i get into switch!
thx glen, i needed the second set of eyes! :) i missed that. i thought it was "vty 0 4" or "vty 0 15" and didn't even see that vty 0 4 were missing. anyway, i put that i and it works as expected, as I was coming on on vty 0 or 1. interestingly, i thought you couldn't delete those vty lines, and after putting them in, i tried the delete, but it failed:
BOO-S-1(config)#no line vty 5 15 % Can't delete last 16 VTY lines ! BOO-S-1(config)#no line vty 0 4 % Can't delete last 16 VTY lines
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.