Cannot add new management access profile

Question

Hello:I am hoping someone can help me on a strange issue. I am trying to Cacti to poll my PowerConnect 6248. However, I am getting the following errors in the PowerConnect log:<189> OCT 24 18:48:52 172.17.0.10-1 TRAPMGR[152308912]: traputil.c(611) 1315892 %% Management ACL violation on SNMP from 172.17.xxx.xxxSince it mentions Management ACL violation, so I checked how the access list is configured:switch-d1-2#show management access-listdefault-------permit ip-source 172.17.0.0 mask 255.255.248.0 service ssh priority 10permit ip-source 172.17.0.0 mask 255.255.248.0 service http priority 20! (Note: all other access implicitly denied)switch-d1-2#show management access-classManagement access-class is enabled, using access list default.I thought, I need to add 'permit ip-source 172.17.0.0 mask 255.255.248.0 service snmp priority 30' in order for SNMP to work. But the switch told me 'default' is the active profile, I have to disable it before it can be modified.I tried to create a new profile called 'newlist' with the command:switch-d1-2(config)#management access-list newlistCannot create another Management Access Control Access List. List 'default' is already created.The switch said 'default' is already created. Now I am stuck. Since I cannot create a new profile, I cannot modify the existing active profile 'default'. I am also afraid to deactivate the current 'default' profile because I think that will lock me out of the switch. I also tried the web interface of the switch. After clicked on Add Profile under System -> Management Seacurity -> Access Profile. I cannot enter anything in the Access Profile Name box. The box is grey out. The problem is the switch is located half way around the world. It is not possible for me to get a console connection to the switch via serial port.Can anyone tell me what did I do wrong or how to add a new profile?Thanks Eric

ericwk · Answer

Daniel:

Thanks for the quick respond. I want to know if I disable the current ACL, will that lock me out of the switch from the web interface or the ssh? Since the current active profile has the following permit rules:

switch-d1-2#show management access-list

default
-------
permit ip-source 172.17.0.0 mask 255.255.248.0 service ssh priority 10
permit ip-source 172.17.0.0 mask 255.255.248.0 service http priority 20
! (Note: all other access implicitly denied)

Many Thanks

Eric

ericwk · Answer

Daniel:

One more question. I ran the command "show ip ssh" to check to make sure ssh is enabled.

switch-d1-2#show ip ssh

SSH Server enabled. Port: 22

Protocol Levels: Versions 1 and 2.

RSA key was generated.

DSA key was generated.

SSH Public Key Authentication is disabled.

Active Incoming Sessions.

Ip Address User Name Idle Time Session Time

--------------- --------------- ------------ ------------

172.17.0.252 root 00:00:00 00:00:27

So looks like it is.

I guess my question is, if i disable the management ACL, will that have any effect to the switching functions? Worst case, I will only lost management access to the switch. But all the machines connected to the switch will not be disconnected, right?

Sorry for questions like this. Just worried because the switch is in another country.

Thanks for any advance.

Eric

ericwk · Answer

Daniel: I disabled the ACL today.  Like you described.  Nothing went wrong.  Now I can see SNMP charts in Cacti. Really appreciated your help. Thanks Eric

nbctcp-gmail.com · Answer

@ericwk​ how you disable ACL using CLI not GUI coz if I type # no management access-list no-telnet-http it will delete that acl

DELL-Chris H · Answer

https://dell.to/49dmxRg,   I believe the steps you will need are found on page 1137-1141 here.  The reason you are seeing it removed is due to the no command.   Let me know if this helps.

Networking General

Was this post helpful?