beautypg.com

Management acl security overview, Parts of a management ace – Allied Telesis AT-S62 User Manual

Page 760

background image

Chapter 35: Management Access Control List

760

Section VII: Management Security

Management ACL Security Overview

This chapter explains how to restrict remote management access to a
switch by creating a management access control list (management ACL).
This feature controls which management stations can remotely manage
the device using the Telnet application protocol or a web browser.

The switch uses the management ACL to filter the management packets
that it receives, accepting and processing only those management
packets that meet the criteria stated in the ACL. Those management
packets that do not meet the criteria are discarded.

The benefit of this feature is that you can prevent unauthorized access to
the switch by controlling which workstations are to have remote
management access. You can even control which method, Telnet or web
browser, that a remote manager can use.

For example, you can create a management ACL that allows the switch to
accept management packets only from the management stations in one
subnet or from just one or two specific management stations.

An access control list (ACL) is a list of one or more statements that define
which management packets the switch accepts. Each statement, referred
to as an access control entry (ACE), contains criteria that the switch uses
in making the determination.

An ACE in a management ACL is an implicit “permit” statement. A
management packet that meets the criteria of an ACE is processed by the
switch. Consequently, the ACEs that you enter into the management ACL
should specify which management packets you want the switch to
process. Packets that do not meet any of the ACEs in the management
ACL are discarded.

Parts of a

Management

ACE

An ACE has the following three parts:

ˆ

IP address

ˆ

Subnet mask

ˆ

Application

IP Address

You can specify the IP address of a specific management station or a
subnet.

Mask

You need to enter a mask that indicates the parts of the IP address the
switch should filter on. A binary “1” indicates the switch should filter on the

See also other documents in the category Allied Telesis Computer hardware: