Mailing List Archive

Dear Clement,

I personnally restricted access to the box via an ACL applied directly
under the interface I'm interested in.

For instance, for OOB interface :

interface Management 1/0
no tcp burstrate
ip icmp unreachable
ip icmp echo-reply
no ip address dhcp
ip address 10.75.1.21/24
ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in <====
ipv6 icmpv6 unreachable
ipv6 icmpv6 echo-reply
no ipv6 address autoconfig
no ipv6 address dhcp
!

I believe it should be the same for the other interfaces.

HTH.



2016-02-26 14:54 GMT+01:00 Clement Cavadore <clement@cavadore.net>:

> Hi,
>
> I have a couple of VDX in a fabric which run BGP & so on over public IP
> adresses. They are accessible using SSH on their outband interface, and
> also in inband, and I cannot figure out where we could restrict it to
> some access lists. => I am looking for the equivalent of "telnet/ssh
> access-group XX" in NOS 4.1.x.
>
> Anyone know that ?
>
> Thanks !
> --
> Clément Cavadore
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp




--
Youssef BENGELLOUN-ZAHR

Hello Youssef,

Thanks for your reply, but I cannot do that (applying it on a Ve --
management interfaces are used for something different), since the VDX
is being used as a router.
Correct me if I'm wrong, but if I apply an ip access group, all the
routed traffic will be impacted by the ACL.

I am just interested in applying such an ACL to the traffic towards the
switches itselves...

Clément


On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr wrote:
> Dear Clement,
>
>
> I personnally restricted access to the box via an ACL applied directly
> under the interface I'm interested in.
>
>
> For instance, for OOB interface :
>
> interface Management 1/0
> no tcp burstrate
> ip icmp unreachable
> ip icmp echo-reply
> no ip address dhcp
> ip address 10.75.1.21/24
> ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in <====
> ipv6 icmpv6 unreachable
> ipv6 icmpv6 echo-reply
> no ipv6 address autoconfig
> no ipv6 address dhcp
> !
>
>
> I believe it should be the same for the other interfaces.
>
>
> HTH.
>
>
>
> 2016-02-26 14:54 GMT+01:00 Clement Cavadore <clement@cavadore.net>:
> Hi,
>
> I have a couple of VDX in a fabric which run BGP & so on over
> public IP
> adresses. They are accessible using SSH on their outband
> interface, and
> also in inband, and I cannot figure out where we could
> restrict it to
> some access lists. => I am looking for the equivalent of
> "telnet/ssh
> access-group XX" in NOS 4.1.x.
>
> Anyone know that ?
>
> Thanks !
> --
> Clément Cavadore
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>
> --
> Youssef BENGELLOUN-ZAHR
>


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

Hello Clement,

How about this for telnet :

telnet@er01-par01(config)#telnet access-group ?
ASCII string Standard Access List Name
<1-99> Standard IP access list
ipv6 IPv6 Access control list

an this for SSH :

telnet@er01-par01(config)#ip ssh client ?
A.B.C.D IP address
ipv6 IPv6 address

telnet@er01-par01(config)#ip ssh source-interface ?
ethernet Ethernet interface
loopback Loopback interface
pos POS interface
ve Virtual Ethernet interface

telnet@er01-par01(config)#ip ssh st
strict-management-vrf Allow SSH connections only from
management-vrf

Best regards.




2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement@cavadore.net>:

> Hello Youssef,
>
> Thanks for your reply, but I cannot do that (applying it on a Ve --
> management interfaces are used for something different), since the VDX
> is being used as a router.
> Correct me if I'm wrong, but if I apply an ip access group, all the
> routed traffic will be impacted by the ACL.
>
> I am just interested in applying such an ACL to the traffic towards the
> switches itselves...
>
> Clément
>
>
> On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr wrote:
> > Dear Clement,
> >
> >
> > I personnally restricted access to the box via an ACL applied directly
> > under the interface I'm interested in.
> >
> >
> > For instance, for OOB interface :
> >
> > interface Management 1/0
> > no tcp burstrate
> > ip icmp unreachable
> > ip icmp echo-reply
> > no ip address dhcp
> > ip address 10.75.1.21/24
> > ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in <====
> > ipv6 icmpv6 unreachable
> > ipv6 icmpv6 echo-reply
> > no ipv6 address autoconfig
> > no ipv6 address dhcp
> > !
> >
> >
> > I believe it should be the same for the other interfaces.
> >
> >
> > HTH.
> >
> >
> >
> > 2016-02-26 14:54 GMT+01:00 Clement Cavadore <clement@cavadore.net>:
> > Hi,
> >
> > I have a couple of VDX in a fabric which run BGP & so on over
> > public IP
> > adresses. They are accessible using SSH on their outband
> > interface, and
> > also in inband, and I cannot figure out where we could
> > restrict it to
> > some access lists. => I am looking for the equivalent of
> > "telnet/ssh
> > access-group XX" in NOS 4.1.x.
> >
> > Anyone know that ?
> >
> > Thanks !
> > --
> > Clément Cavadore
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
> >
> >
> > --
> > Youssef BENGELLOUN-ZAHR
> >
>
>
>


--
Youssef BENGELLOUN-ZAHR

Youssef,

This is the way we do, for IronWare.
I am looking for the equivalent on NOS :-)

Thanks !

Clément

On Fri, 2016-02-26 at 15:34 +0100, Youssef Bengelloun-Zahr wrote:
> Hello Clement,
>
>
> How about this for telnet :
>
> telnet@er01-par01(config)#telnet access-group ?
> ASCII string Standard Access List Name
> <1-99> Standard IP access list
> ipv6 IPv6 Access control list
>
>
> an this for SSH :
>
> telnet@er01-par01(config)#ip ssh client ?
> A.B.C.D IP address
> ipv6 IPv6 address
>
> telnet@er01-par01(config)#ip ssh source-interface ?
> ethernet Ethernet interface
> loopback Loopback interface
> pos POS interface
> ve Virtual Ethernet interface
>
> telnet@er01-par01(config)#ip ssh st
> strict-management-vrf Allow SSH connections only from
> management-vrf
>
>
> Best regards.
>
>
>
>
>
> 2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement@cavadore.net>:
> Hello Youssef,
>
> Thanks for your reply, but I cannot do that (applying it on a
> Ve --
> management interfaces are used for something different), since
> the VDX
> is being used as a router.
> Correct me if I'm wrong, but if I apply an ip access group,
> all the
> routed traffic will be impacted by the ACL.
>
> I am just interested in applying such an ACL to the traffic
> towards the
> switches itselves...
>
> Clément
>
>
> On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr
> wrote:
> > Dear Clement,
> >
> >
> > I personnally restricted access to the box via an ACL
> applied directly
> > under the interface I'm interested in.
> >
> >
> > For instance, for OOB interface :
> >
> > interface Management 1/0
> > no tcp burstrate
> > ip icmp unreachable
> > ip icmp echo-reply
> > no ip address dhcp
> > ip address 10.75.1.21/24
> > ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in
> <====
> > ipv6 icmpv6 unreachable
> > ipv6 icmpv6 echo-reply
> > no ipv6 address autoconfig
> > no ipv6 address dhcp
> > !
> >
> >
> > I believe it should be the same for the other interfaces.
> >
> >
> > HTH.
> >
> >
> >
> > 2016-02-26 14:54 GMT+01:00 Clement Cavadore
> <clement@cavadore.net>:
> > Hi,
> >
> > I have a couple of VDX in a fabric which run BGP &
> so on over
> > public IP
> > adresses. They are accessible using SSH on their
> outband
> > interface, and
> > also in inband, and I cannot figure out where we
> could
> > restrict it to
> > some access lists. => I am looking for the
> equivalent of
> > "telnet/ssh
> > access-group XX" in NOS 4.1.x.
> >
> > Anyone know that ?
> >
> > Thanks !
> > --
> > Clément Cavadore
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
> >
> >
> > --
> > Youssef BENGELLOUN-ZAHR
> >
>
>
>
>
>
>
> --
> Youssef BENGELLOUN-ZAHR
>


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

I just realized I loged in to an MLXe without paying attention, friday huh
;-)

BR.



2016-02-26 15:37 GMT+01:00 Clement Cavadore <clement@cavadore.net>:

> Youssef,
>
> This is the way we do, for IronWare.
> I am looking for the equivalent on NOS :-)
>
> Thanks !
>
> Clément
>
> On Fri, 2016-02-26 at 15:34 +0100, Youssef Bengelloun-Zahr wrote:
> > Hello Clement,
> >
> >
> > How about this for telnet :
> >
> > telnet@er01-par01(config)#telnet access-group ?
> > ASCII string Standard Access List Name
> > <1-99> Standard IP access list
> > ipv6 IPv6 Access control list
> >
> >
> > an this for SSH :
> >
> > telnet@er01-par01(config)#ip ssh client ?
> > A.B.C.D IP address
> > ipv6 IPv6 address
> >
> > telnet@er01-par01(config)#ip ssh source-interface ?
> > ethernet Ethernet interface
> > loopback Loopback interface
> > pos POS interface
> > ve Virtual Ethernet interface
> >
> > telnet@er01-par01(config)#ip ssh st
> > strict-management-vrf Allow SSH connections only from
> > management-vrf
> >
> >
> > Best regards.
> >
> >
> >
> >
> >
> > 2016-02-26 15:21 GMT+01:00 Clement Cavadore <clement@cavadore.net>:
> > Hello Youssef,
> >
> > Thanks for your reply, but I cannot do that (applying it on a
> > Ve --
> > management interfaces are used for something different), since
> > the VDX
> > is being used as a router.
> > Correct me if I'm wrong, but if I apply an ip access group,
> > all the
> > routed traffic will be impacted by the ACL.
> >
> > I am just interested in applying such an ACL to the traffic
> > towards the
> > switches itselves...
> >
> > Clément
> >
> >
> > On Fri, 2016-02-26 at 15:15 +0100, Youssef Bengelloun-Zahr
> > wrote:
> > > Dear Clement,
> > >
> > >
> > > I personnally restricted access to the box via an ACL
> > applied directly
> > > under the interface I'm interested in.
> > >
> > >
> > > For instance, for OOB interface :
> > >
> > > interface Management 1/0
> > > no tcp burstrate
> > > ip icmp unreachable
> > > ip icmp echo-reply
> > > no ip address dhcp
> > > ip address 10.75.1.21/24
> > > ip access-group AUTHORIZED-V4-SUBNETS-FOR-MANAGEMENT in
> > <====
> > > ipv6 icmpv6 unreachable
> > > ipv6 icmpv6 echo-reply
> > > no ipv6 address autoconfig
> > > no ipv6 address dhcp
> > > !
> > >
> > >
> > > I believe it should be the same for the other interfaces.
> > >
> > >
> > > HTH.
> > >
> > >
> > >
> > > 2016-02-26 14:54 GMT+01:00 Clement Cavadore
> > <clement@cavadore.net>:
> > > Hi,
> > >
> > > I have a couple of VDX in a fabric which run BGP &
> > so on over
> > > public IP
> > > adresses. They are accessible using SSH on their
> > outband
> > > interface, and
> > > also in inband, and I cannot figure out where we
> > could
> > > restrict it to
> > > some access lists. => I am looking for the
> > equivalent of
> > > "telnet/ssh
> > > access-group XX" in NOS 4.1.x.
> > >
> > > Anyone know that ?
> > >
> > > Thanks !
> > > --
> > > Clément Cavadore
> > >
> > > _______________________________________________
> > > foundry-nsp mailing list
> > > foundry-nsp@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/foundry-nsp
> > >
> > >
> > >
> > > --
> > > Youssef BENGELLOUN-ZAHR
> > >
> >
> >
> >
> >
> >
> >
> > --
> > Youssef BENGELLOUN-ZAHR
> >
>
>
>


--
Youssef BENGELLOUN-ZAHR