Unsolved
1 Rookie
•
16 Posts
0
40
December 10th, 2024 22:34
S5248 ACL ingress on VLAN does not work
Hi! So i have 2 vlans on a S5248F switch: INTERN and EXTERN with their ips (both v4 and v6) and with stating routing (default route) through EXTERN.
I'm trying to block ssh access to switch from anything EXTERNal so i have an ingress ACL applied on EXTERN vlan
with rules like:
```
ip access-list Dell-ProtectIPv4
seq 20 deny tcp any host EXTERN_IPv4 eq 22
seq 21 deny tcp any host INTERN_IPv4 eq 22
seq 10000 permit ip any any
```
It seems that the rules are not applied.. does anyone have an idea why? if a modify the access-list do i have to somehow re-apply it to the vlan?
Thanks a lot!
Adrian
No Events found!
DELL-Joey C
Moderator
•
3.9K Posts
0
December 11th, 2024 08:54
Hi,
Can you change the host name to host ip:
```
ip access-list Dell-ProtectIPv4
seq 20 deny tcp any host EXTERN_IPv4 eq 22
seq 21 deny tcp any host INTERN_IPv4 eq 22
seq 10000 permit ip any any
```
adriansev
1 Rookie
•
16 Posts
0
December 11th, 2024 16:03
those text entries are just labels to hide my public ips... of course that they are actually ips.
Thanks a lot for looking into it!
DELL-Joey C
Moderator
•
3.9K Posts
0
December 12th, 2024 03:46
Hi,
Right, ok. I thought they are hostnames, my bad.
Have you also executed these commands? (I'm using Dell-ProtectIPv4 as per your access list name)
OS10(config)# line vty
OS10(config-line-vty)# ip access-class Dell-ProtectIPv4
adriansev
1 Rookie
•
16 Posts
0
December 12th, 2024 05:38
erm, no .. why? whats is actually this doing?
by any chance is this applied generic from all directions and interfaces on anything that is related to connection to the switch?
because, the format that i had for Dell-ProtectIPv4 acl was to deny everything to switch public IPs (as in the first message) with the idea that this will be applied only to external facing vlan, but it seems that now everything is blocked, even the 22 port to private IP that is set on internal vlan ..
so, i lost completely connectivity to the switch .. is this something that i can solve with serial connection or i just have to reboot the switch?
adriansev
1 Rookie
•
16 Posts
0
December 12th, 2024 06:48
@DELL-Joey C so, i solved the problem, by using the IPv6 address :)
So, going back to the question: how can i secure the access to switch services from external networks (and i see 22 and 443 open and 54320 and 54321 filtered)?
Will the acl applied to vty work for all ports/services of the switch?
Will an acl with allowed networks applied to vty deny anything else towards the switch IPs but still allow the switch to route traffic?
Then would that mean that acls, let's say ingress ones, will be only applied to destinations beyond the switch?
Thanks a lot!
DELL-Joey C
Moderator
•
3.9K Posts
0
December 12th, 2024 09:58
Hi,
You can refer to this article here for blocking access: https://dell.to/49ygBTT
VTY (Virtual Teletype) lines are used for remote terminal access to network devices such as routers and switches. In the context of Dell Networking, VTY lines allow administrators to remotely connect to a device via Telnet or SSH.
Well, with proper configuration, I believe it is possible. For example, with the current configuration, it blocked your SSH connection.
What I can suggest is to contact support and raise a case to check your configuration for blocking access. If it is not done correctly, it can jeopardise your network security.