Management acl security overview, Parts of a management ace – Allied Telesis AT-S63 User Manual

Page 846

background image

Chapter 37: Management Access Control List

846

Section VIII: Management Security

Management ACL Security Overview

This chapter explains how to restrict remote management access of a
switch by creating a management access control list (management ACL).
This feature controls which management stations can remotely manage
the device using the Telnet application protocol or a web browser.

The switch uses the management ACL to filter the management packets
that it receives. The switch accepts and processes only those
management packets that meet the criteria stated in the ACL. Those
management packets that do not meet the criteria are discarded.

The benefit of this feature is that you can prevent unauthorized access to
the switch by controlling which workstations are to have remote
management access. You can even control which method, Telnet or web
browser, that a remote manager can use.

For example, you can create a management ACL that allows the switch to
accept management packets only from the management stations in one
subnet or from just one or two specific management stations.

An access control list (ACL) is a list of one or more statements that define
which management packets the switch accepts. Each statement, referred
to as an access control entry (ACE), contains criteria that the switch uses
in making the determination.

An ACE in a management ACL is an implicit “permit” statement. This
means that a management packet that meets the criteria of an ACE is
processed by the switch. Consequently, the ACEs that you enter into the
management ACL should specify which management packets you want
the switch to process. Packets that do not meet any of the ACEs in the
management ACL are discarded.

Parts of a

Management

ACE

An ACE has the following four parts:

ˆ

IP address

ˆ

Subnet mask

ˆ

Application

IP Address

You can specify the IP address of a specific management station or a
subnet.