Configure an Access Policy

About this task

Configure an access policy to control access to the switch.

You can permit network stations to access the switch or forbid network stations to access the switch.

For each service, you can also specify the level of access; for example, read-only or read-write-all.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create an access policy by assigning it a number:

    access-policy <1-65535>

  3. Restrict the access to a specific level:

    access-policy <1-65535> access-strict

  4. Configure access for an access policy:

    access-policy <1-65535> accesslevel <ro|rwa|rw>

  5. Configure the access policy mode, network, and precedence:

    access-policy <1-65535> [mode <allow|deny>] [precedence <1-128>] [network <A.B.C.D> <A.B.C.D>]

    If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information. If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information.

  6. Optional: Configure access protocols for an access policy:

    access-policy <1-65535> [ftp] [http] [ssh] [telnet] [tftp]

  7. Optional: Configure trusted username access for an access policy:

    access-policy <1-65535> host WORD<0–46> [username WORD<0–30>]

  8. Optional: Configure SNMP parameters for an access policy:

    access-policy <1-65535> [snmp-group WORD<1–32> <snmpv1|snmpv2c|usm>]

    OR

    access-policy <1-65535> [snmpv3]

  9. Enable the access policy:

    access-policy <1-65535> enable

  10. Enable access policies globally:

    access-policy

Example

Assuming no access policies exist, start with policy 3 and name the policy policy3. Add the read-write-all access level and the usm group group_example. Enable access strict, and finally, enable the policy.

Switch:1(config)#access-policy 3
Switch:1(config)#access-policy 3 name policy3
Switch:1(config)#access-policy 3 accesslevel rwa
Switch:1(config)#access-policy 3 snmp-group group_example usm
Switch:1(config)#access-policy 3 access-strict
Switch:1(config)#access-policy 3 enable

Variable Definitions

The following table defines parameters for the access-policy command.

Variable

Value

access-strict

Restrains access to criteria specified in the access policy.

  • true—The system accepts only the currently configured access level.

  • false—The system accepts access up to the configured level.

Use the no operator to remove this configuration.

accesslevel <ro|rwa|rw>

Specifies the level of access if you configure the policy to allow access.

enable

Enables the access policy.

ftp

Activates or disables FTP for the specified policy. Because FTP derives its login and password from the CLI management filters, FTP works for read-write-all (rwa) and read-write (rw) access, but not for the read-only (ro) access. Use the no operator to remove this configuration.

host WORD<0–46>

For remote login access, specifies the trusted host address as an IP address.

The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration.

Use the no operator to remove this configuration.

http

Activates the HTTP and HTTPS for this access policy. Use the no operator to remove this configuration.

mode <allow|deny>

Specifies whether the designated network address is allowed access to the system through the specified access service. The default is allow.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match, the system denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information. If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information.

name WORD<0-15>

Specifies the access policy name.

network <A.B.C.D> <A.B.C.D>

Specifies the IP address and subnet mask for IPv4, or the IP address and prefix for IPv6, that can access the system through the specified access service.

The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration.

Use the no operator to remove this configuration.

precedence <1-128>

Specifies a precedence value for a policy, expressed as a number from 1–128. The precedence value determines which policy the system uses if multiple policies apply. Lower numbers take higher precedence. The default value is 10.

snmp-group WORD<1–32> <snmpv1|snmpv2c|usm>

Adds an SNMP version 3 group under the access policy.

WORD<1–32> is the SNMP version 3 group name consisting of 1–32 characters.

<snmpv1|snmpv2c|usm> is the security model; either snmpv1, snmpv2c, or usm.

Use the no operator to remove this configuration.

snmpv3

Activates SNMP version 3 for the access policy.

Use the no operator to remove this configuration.

ssh

Activates SSH for the access policy.

Use the no operator to remove this configuration.

telnet

Activates Telnet for the access policy. Use the no operator to remove this configuration.

tftp

Activates the Trivial File Transfer Protocol (TFTP) for this access policy. Use the no operator to remove this configuration.

username WORD<0–30>

Specifies the trusted host user name for remote login access.