Solved: SG300-10 - Need assistance with ACL

phusion2k · ‎11-05-2013

We recently got a SG300-10 switch and we are in need of some assistance with creating an access list for SSH access. The switch is running

SW version 1.3.0.62. We would like to make it so SSH access is only allowed from the 192.168.1.0 network. We would also like to have every attempt to tcp port 22 for SSH logged. Right, now SSH is accessible from any IP including external (Internet). Here is what we have at the moment. The switch has an IP of 192.168.1.7.

...

ip access-list extended SSH_access

permit ip 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0

exit

line ssh

exec-timeout 0

exit

...

External users (Internet) are still able to try and SSH in. Please advise.

Tilman Schmidt · ‎11-07-2013

You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.

For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:

management access-list SSH_access

permit ip-source 192.168.1.0 mask /24 service ssh

permit service https

deny

exit

management access-class SSH_access

would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.

HTH

Tilman

View solution in original post

DJX995 · ‎11-06-2013

Off the top of my head (untested)

permit tcp 192.168.1.0 0.0.0.255 any 192.168.1.7 0.0.0.0 22

deny tcp any any 192.168.1.7 0.0.0.0 22

permit ip any any

Tilman Schmidt · ‎11-07-2013

You defined an ip access-list. Those are for filtering routed traffic, not for controlling access to the switch itself. What's more, it looks like you didn't activate it on any interface (via the access-class command), so it doesn't have any effect at all.

For controlling access to the switch itself, you need to define a management access-list and activate it with the management access-class command. Unfortunately the syntax of those differs quite a bit from the standard ACLs. For example:

management access-list SSH_access

permit ip-source 192.168.1.0 mask /24 service ssh

permit service https

deny

exit

management access-class SSH_access

would allow SSH from the 192.168.1.0 network and HTTPS from everywhere, but disallow everything else (ie. Telnet or HTTP). Details can be found in ch. 11 "Management ACL Commands" of the 300 Series CLI Guide.

HTH

Tilman

phusion2k · ‎11-07-2013

Thanks for the information. We will try this out tomorrow night and let you know. Thanks.

phusion2k · ‎11-11-2013

Tilman,

That worked. Here is the statements needed. This allows for internal access to the SSH and HTTPS services.

management access-list MGMT_ACCESS

permit ip-source 192.168.1.0 mask 255.255.255.0 service ssh

permit ip-source 192.168.1.0 mask 255.255.255.0 service https

deny ip

exit

management access-class MGMT_ACCESS

Thanks for the assistance.

Tilman Schmidt · ‎11-11-2013

Thanks for the feedback.

Glad I could help.