Unsolved
This post is more than 5 years old
1 Rookie
•
8 Posts
0
35655
October 25th, 2012 04:00
Cannot add new management access profile
Hello:
I am hoping someone can help me on a strange issue. I am trying to Cacti to poll my PowerConnect 6248. However, I am getting the following errors in the PowerConnect log:
<189> OCT 24 18:48:52 172.17.0.10-1 TRAPMGR[152308912]: traputil.c(611) 1315892 %% Management ACL violation on SNMP from 172.17.xxx.xxx
Since it mentions Management ACL violation, so I checked how the access list is configured:
switch-d1-2#show management access-list
default
-------
permit ip-source 172.17.0.0 mask 255.255.248.0 service ssh priority 10
permit ip-source 172.17.0.0 mask 255.255.248.0 service http priority 20
! (Note: all other access implicitly denied)
switch-d1-2#show management access-class
Management access-class is enabled, using access list default.
I thought, I need to add "permit ip-source 172.17.0.0 mask 255.255.248.0 service snmp priority 30" in order for SNMP to work. But the switch told me "default" is the active profile, I have to disable it before it can be modified.
I tried to create a new profile called "newlist" with the command:
switch-d1-2(config)#management access-list newlist
Cannot create another Management Access Control Access List. List "default" is already created.
The switch said "default" is already created. Now I am stuck. Since I cannot create a new profile, I cannot modify the existing active profile "default". I am also afraid to deactivate the current "default" profile because I think that will lock me out of the switch. I also tried the web interface of the switch. After clicked on Add Profile under System -> Management Seacurity -> Access Profile. I cannot enter anything in the Access Profile Name box. The box is grey out.
The problem is the switch is located half way around the world. It is not possible for me to get a console connection to the switch via serial port.
Can anyone tell me what did I do wrong or how to add a new profile?
Thanks
Eric
0 events found
No Events found!
ericwk
1 Rookie
•
8 Posts
0
October 25th, 2012 09:00
Daniel:
Thanks for the quick respond. I want to know if I disable the current ACL, will that lock me out of the switch from the web interface or the ssh? Since the current active profile has the following permit rules:
Many Thanks
Eric
ericwk
1 Rookie
•
8 Posts
0
October 30th, 2012 04:00
Daniel:
One more question. I ran the command "show ip ssh" to check to make sure ssh is enabled.
switch-d1-2#show ip ssh
SSH Server enabled. Port: 22
Protocol Levels: Versions 1 and 2.
RSA key was generated.
DSA key was generated.
SSH Public Key Authentication is disabled.
Active Incoming Sessions.
Ip Address User Name Idle Time Session Time
--------------- --------------- ------------ ------------
172.17.0.252 root 00:00:00 00:00:27
So looks like it is.
I guess my question is, if i disable the management ACL, will that have any effect to the switching functions? Worst case, I will only lost management access to the switch. But all the machines connected to the switch will not be disconnected, right?
Sorry for questions like this. Just worried because the switch is in another country.
Thanks for any advance.
Eric
ericwk
1 Rookie
•
8 Posts
0
November 2nd, 2012 03:00
Daniel:
I disabled the ACL today. Like you described. Nothing went wrong. Now I can see SNMP charts in Cacti.
Really appreciated your help.
Thanks
Eric
nbctcp-gmail.com
1 Rookie
•
16 Posts
0
February 10th, 2024 23:39
@ericwk how you disable ACL using CLI not GUI
coz if I type
# no management access-list no-telnet-http
it will delete that acl
DELL-Chris H
Moderator
•
9.7K Posts
0
February 12th, 2024 13:39
The reason you are seeing it removed is due to the no command.
Let me know if this helps.