beautypg.com

Restricting tftp access to a specific vlan, Switch – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 29

background image

The command in this example configures the device to allow SNMP access only to clients connected to
ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] snmp-server enable vlan vlan-id

Restricting TFTP access to a specific VLAN

To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.

device(config)#tftp client enable vlan 40

The command in this example configures the device to allow TFTP access only to clients connected to
ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] tftp client enable vlan vlan-id

Designated VLAN for Telnet management sessionsto a Layer 2 Switch

All Brocade FastIron devices support the creation of management VLANs. By default, the management
IP address you configure on a Layer 2 Switch applies globally to all the ports on the device. This is true
even if you divide the device ports into multiple port-based VLANs.

If you want to restrict the IP management address to a specific port-based VLAN, you can make that
VLAN the designated management VLAN for the device. When you configure a VLAN to be the
designated management VLAN, the management IP address you configure on the device is associated
only with the ports in the designated VLAN. To establish a Telnet management session with the device,
a user must access the device through one of the ports in the designated VLAN.

You also can configure up to five default gateways for the designated VLAN, and associate a metric
with each one. The software uses the gateway with the lowest metric. The other gateways reside in the
configuration but are not used. To use one of the other gateways, modify the configuration so that the
gateway you want to use has the lowest metric.

If more than one gateway has the lowest metric, the gateway that appears first in the running-config is
used.

NOTE
If you have already configured a default gateway globally and you do not configure a gateway in the
VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.

To configure a designated management VLAN, enter commands such as the following.

device(config)#vlan 10 by port

device(config-vlan-10)#untag ethernet 1/1 to 1/4

device(config-vlan-10)#management-vlan

device(config-vlan-10)#default-gateway 10.10.10.1 1

device(config-vlan-10)#default-gateway 10.20.20.1 2

These commands configure port-based VLAN 10 to consist of ports 1/1 - 1/4 and to be the designated
management VLAN. The last two commands configure default gateways for the VLAN. Since the
10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in
the configuration but is not used. You can use the other one by changing the metrics so that the
10.20.20.1 gateway has the lower metric.

Syntax: [no] default-gateway ip-addr metric

The ip-addr parameters specify the IP address of the gateway router.

Restricting TFTP access to a specific VLAN

FastIron Ethernet Switch Security Configuration Guide

29

53-1003088-03

See also other documents in the category Brocade Computer Accessories: