Provides verification methods for ACL policy implementation on SSH servers using Virtual Teletype lines.
From Cisco IOS XE Catalyst SD-WAN Release 17.2.1r release, the Cisco IOS XE Catalyst SD-WAN devices support device-access-policy features on SSH servers using Virtual Teletype (VTY) lines. Cisco SD-WAN Manager uses all the available VTY lines in the backend and pushes the policy accordingly.
Configuration:
line vty 0 4
access-class ssh-acl in vrf-also
!
Following is the ACL settings sample from the yang model:
// line * / access-class
container access-class {
description
"Filter connections based on an IP access list";
tailf:cli-compact-syntax;
tailf:cli-sequence-commands;
tailf:cli-reset-container;
tailf:cli-flatten-container;
list acccess-list {
tailf:cli-drop-node-name;
tailf:cli-compact-syntax;
tailf:cli-reset-container;
tailf:cli-suppress-mode;
tailf:cli-delete-when-empty;
key "direction";
leaf direction {
type enumeration {
enum "in";
enum "out";
}
}
leaf access-list {
tailf:cli-drop-node-name;
tailf:cli-prefix-key;
type ios-types:exp-acl-type;
mandatory true;
}
leaf vrf-also {
description
"Same access list is applied for all VRFs";
type empty;
}
}
}
Following is the sample test log for line-server ACL settings:
Device# config-transaction
admin connected from 127.0.0.1 using console on Device
Device(config)# line vty 0 4
Device(config-line)# access-class acl_1 in vrf-also
Device(config-line)# transport input ssh
Device(config-line)# end
Uncommitted changes found, commit them? [yes/no/CANCEL] yes
Commit complete.
Device#
*May 24 20:51:02.994: %SYS-5-CONFIG_P: Configured programmatically by process iosp_vty_100001_dmi_nesd from console as NETCONF on vty31266
*May 24 20:51:02.995: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by admin, transaction-id 227
Device#
Device#
Device# sh sdwan run | sec vty
Error: Licensing infrastructure is NOT initialized.
Error: Licensing infrastructure is NOT initialized.
line vty 0 4
access-class acl_1 in vrf-also
login local
transport input ssh
line vty 5 80
login local
transport input ssh
Device#
Device# sh run | sec vty
Error: Licensing infrastructure is NOT initialized.
Error: Licensing infrastructure is NOT initialized.
line vty 0 4
access-class acl_1 in vrf-also
exec-timeout 0 0
password 7 11051807
login local
transport preferred none
transport input ssh
line vty 5 80
login local
transport input ssh