configure ssh2 access-profile
Configures SSH2 to use an ACL policy or ACL rule for access control.
|access_profile||Specifies an ACL policy.|
|add||Specifies that an ACL rule is to be added to the SSH2 port.|
|rule||Specifies an ACL rule.|
|first||Specifies that the new rule is to be added before all other rules.|
|before||Specifies that the new rule is to be added before a previous rule.|
|after||Specifies that the new rule is to be added after a previous rule.|
|previous_rule||Specifies an existing rule in the application.|
|delete||Specifies that one particular rule is to be deleted.|
|none||Specifies that all the rules or a policy file is to be deleted.|
You must be logged in as administrator to configure SSH2 parameters.
- Implement an ACL policy file that permits or denies a
specific list of IP addresses and subnet masks for the SSH2 port. You must
create the ACL policy file before you can use this command. If the ACL policy
file does not exist on the switch, the switch returns an error message
indicating that the file does not exist.
In the ACL policy file for SSH2, the “source-address” field is the only supported match condition. Any other match conditions are ignored.
Use the none option to remove a previously configured ACL.
Policy files can also be configured using the enable ssh2 command.
- Add an ACL rule to the SSH2 application through this
command. Once an ACL is associated with SSH2, all the packets that reach an SSH2
module are evaluated with this ACL and appropriate action (permit or deny) is
taken, as is done using policy files.
The permit or deny counters are also updated accordingly regardless of whether the ACL is configured to add counters. To display counter statistics, use the show access-list counters process command.
Only the following match conditions and actions are copied to the client memory. Others that may be in the rule are not copied.Match conditions:
- Source-address—IPv4 and IPv6
- Actions—Permit or Deny
When adding a new rule, use the first, before, and after previous_rule parameters to position it within the existing rules.
If the SSH2 traffic does not match any of the rules, the default behavior is deny. To permit SSH2 traffic that does not match any of the rules, add a permit all rule at the end of the rule list.
Creating an ACL Policy File
To create an ACL policy file, use the edit policy command. For more information about creating and implementing ACL policy files, see Policy Manager and ACLs in the ExtremeXOS 32.2 User Guide .
If you attempt to implement a policy that does not exist on the switch, an error message similar to the following appears:
Error: Policy /config/MyAccessProfile.pol does not exist on file system
If this occurs, make sure the policy you want to implement exists on the switch. To confirm the policies on the switch, use the ls command. If the policy does not exist, create the ACL policy file.
The following example applies the ACL MyAccessProfile_2 to SSH2:
configure ssh2 access-profile MyAccessProfile_2
The following example copies the ACL rule, DenyAccess to the SSH2 application in first place:
configure ssh2 access-profile add DenyAccess first
The following example removes the association of a single rule from the SSH2 application:
configure ssh2 access-profile delete DenyAccess
The following example removes the association of all ACL policies and rules from the SSH2 application:
configure ssh2 access-profile none
This command was first available in ExtremeXOS 12.5.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.