beautypg.com

Using acls to restrict snmp access – Brocade BigIron RX Series Configuration Guide User Manual

Page 136

background image

58

BigIron RX Series Configuration Guide

53-1002484-04

Restricting remote access to management functions

3

Using ACLs to restrict SNMP access

To restrict SNMP access to the device using ACLs, enter commands such as the following.

NOTE

The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH,
and Web management access using ACLs.

The commands configure ACLs 25 and 30, then apply the ACLs to community strings. ACL 25 is
used to control read-only access using the “public” community string. ACL 30 is used to control
read-write access using the “private” community string.

Syntax: snmp-server community <string> ro | rw

<standard-acl-name> | <standard-acl-id>

The <string> parameter specifies the SNMP community string the user must enter to gain SNMP
access.

NOTE

The ro parameter indicates that the community string is for read-only (“get”) access. The rw
parameter indicates the community string is for read-write (“set”) access.

The <standard-acl-name> | <standard-acl-id> | ipv6 <ipv6-access-list-name> parameter specifies
which ACL will be used to filter incoming SNMP packets.

The <standard-acl-id> parameter specifies the number of a standard ACL, 1 – 99.

The <standard-acl-name> parameter specifies the standard access list name.

NOTE

When snmp-server community is configured, all incoming SNMP packets are validated first by their
community strings and then by their bound ACLs. Packets are permitted if no filters are configured
for an ACL.

Configuring hardware-based remote access filtering on the device

The following is an example of configuring device to perform hardware filtering for Telnet access.

BigIron RX(config)# vlan 3 by port

BigIron RX(config-vlan-3)# untagged ethe 3/1 to 3/5

BigIron RX(config-vlan-3)# router-interface ve 3

BigIron RX(config-vlan-3)# exit

BigIron RX(config)# interface ve 3

BigIron RX(config-vif-3)# ip address 10.10.11.1 255.255.255.0

BigIron RX(config-vif-3)# exit

BigIron RX(config)# access-list 25 deny host 209.157.22.98 log

BigIron RX(config)# access-list 25 deny 209.157.23.0 0.0.0.255 log

BigIron RX(config)# access-list 25 deny 209.157.24.0 0.0.0.255 log

BigIron RX(config)# access-list 25 permit any

BigIron RX(config)# access-list 30 deny 209.157.25.0 0.0.0.255 log

BigIron RX(config)# access-list 30 deny 209.157.26.0/24 log

BigIron RX(config)# access-list 30 permit any

BigIron RX(config)# snmp-server community public ro 25

BigIron RX(config)# snmp-server community private rw 30

BigIron RX(config)# write memory

See also other documents in the category Brocade Computer Accessories: