beautypg.com

Using an acl to restrict ssh access, Using acls to restrict snmp access – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 24

background image

To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of
the ACL.

device(config)#access-list 10 permit host 10.157.22.32

device(config)#access-list 10 permit 10.157.23.0 0.0.0.255

device(config)#access-list 10 permit 10.157.24.0 0.0.0.255

device(config)#access-list 10 permit 10.157.25.0/24

device(config)#telnet access-group 10

device(config)#write memory

The ACL in this example permits Telnet access only to the IP addresses in the permit entries and
denies Telnet access from all other IP addresses.

Using an ACL to restrict SSH access

To configure an ACL that restricts SSH access to the device, enter commands such as the following.

device(config)#access-list 12 deny host 10.157.22.98 log

device(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log

device(config)#access-list 12 deny 10.157.24.0/24 log

device(config)#access-list 12 permit any

device(config)#ssh access-group 12

device(config)#write memory

Syntax: ssh access-group num

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

These commands configure ACL 12, then apply the ACL as the access list for SSH access. The
device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all
other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH
access from all IP addresses.

NOTE
In this example, the command ssh access-group 10 could have been used to apply the ACL
configured in the example for Telnet access. You can use the same ACL multiple times.

Using ACLs to restrict SNMP access

To restrict SNMP access to the device using ACLs, enter commands such as the following.

NOTE
The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH
using ACLs.

device(config)#access-list 25 deny host 10.157.22.98 log

device(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log

device(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log

device(config)#access-list 25 permit any

device(config)#access-list 30 deny 10.157.25.0 0.0.0.255 log

device(config)#access-list 30 deny 10.157.26.0/24 log

device(config)#access-list 30 permit any

device(config)#snmp-server community public ro 25

device(config)#snmp-server community private rw 30

device(config)#write memory

Syntax: snmp-server community string [ ro | rw ] num

The string parameter specifies the SNMP community string the user must enter to gain SNMP access.

Using an ACL to restrict SSH access

24

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: