Want to cut down SSH/Telnet access to my switch's ISP facing interface/IP. Since the Dells do not have a strict vty/con interface to apply an ACL I assume I need to simply match it on an interface instead. Using the below ACL. Problem is that applying it kills telnet/ssh sessions completely and does not allow them in. Replaced existing iPs in the example with fake IPs. Confirmed my public IP is 112.94.236.58. You'll see a 112.94.236.56/29 with a permit statement.
access-list TEST permit tcp 111.126.50.0 255.255.255.0 111.126.50.16 255.255.255.0 eq 22
access-list TEST permit tcp 111.126.50.0 255.255.255.0 111.126.50.16 255.255.255.0 eq telnet
access-list TEST permit tcp 112.94.236.56 255.255.255.248 111.126.50.16 255.255.255.0 eq 22
access-list TEST permit tcp 112.94.236.56 255.255.255.248 111.126.50.16 255.255.255.0 eq telnet
access-list TEST permit tcp 112.94.254.0 255.255.255.128 111.126.50.16 255.255.255.0 eq 22
access-list TEST permit tcp 112.94.254.0 255.255.255.128 111.126.50.16 255.255.255.0 eq telnet
access-list TEST permit tcp 112.94.248.176 255.255.255.248 111.126.50.16 255.255.255.0 eq 22
access-list TEST permit tcp 112.94.248.176 255.255.255.248 111.126.50.16 255.255.255.0 eq telnet
access-list TEST deny tcp any 111.126.50.16 255.255.255.0 eq 22
access-list TEST deny tcp any 111.126.50.16 255.255.255.0 eq telnet
access-list TEST permit ip any any
111.126.50.16 is the switch
Maybe I should use a host destination in the ACL instead? (edit, nope, tried that with an all 255s subnet, same problem)
The ACL is being created by using the access-list command in config mode. On the interface it only lets me use ip access-class.
