Configure an Access Policy
About this task
Configure an access policy to control access to the switch.
You can permit network stations to access the switch or forbid network stations to access the switch.
For each service, you can also specify the level of access; for example, read-only or read-write-all.
Procedure
Example
Assuming no access policies exist, start with policy 3 and name the policy policy3. Add the read-write-all access level and the usm group group_example. Enable access strict, and finally, enable the policy.
Switch:1(config)#access-policy 3 Switch:1(config)#access-policy 3 name policy3 Switch:1(config)#access-policy 3 accesslevel rwa Switch:1(config)#access-policy 3 snmp-group group_example usm Switch:1(config)#access-policy 3 access-strict Switch:1(config)#access-policy 3 enable
Variable Definitions
The following table defines parameters for the access-policy command.
|
Variable |
Value |
|---|---|
|
access-strict |
Restrains access to criteria specified in the access policy.
Use the no operator to remove this configuration. |
|
accesslevel <ro|rwa|rw> |
Specifies the level of access if you configure the policy to allow access. |
|
enable |
Enables the access policy. |
|
ftp |
Activates or disables FTP for the specified policy. Because FTP derives its login and password from the CLI management filters, FTP works for read-write-all (rwa) and read-write (rw) access, but not for the read-only (ro) access. Use the no operator to remove this configuration. |
|
host WORD<0–46> |
For remote login access, specifies the trusted host address as an IP address. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration. Use the no operator to remove this configuration. |
|
http |
Activates the HTTP and HTTPS for this access policy. Use the no operator to remove this configuration. |
|
mode <allow|deny> |
Specifies whether the designated network address is allowed access to the system through the specified access service. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match, the system denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information. If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information. |
|
name WORD<0-15> |
Specifies the access policy name. |
|
network <A.B.C.D> <A.B.C.D> |
Specifies the IP address and subnet mask for IPv4, or the IP address and prefix for IPv6, that can access the system through the specified access service. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration. Use the no operator to remove this configuration. |
|
precedence <1-128> |
Specifies a precedence value for a policy, expressed as a number from 1–128. The precedence value determines which policy the system uses if multiple policies apply. Lower numbers take higher precedence. The default value is 10. |
|
snmp-group WORD<1–32> <snmpv1|snmpv2c|usm> |
Adds an SNMP version 3 group under the access policy. WORD<1–32> is the SNMP version 3 group name consisting of 1–32 characters. <snmpv1|snmpv2c|usm> is the security model; either snmpv1, snmpv2c, or usm. Use the no operator to remove this configuration. |
|
snmpv3 |
Activates SNMP version 3 for the access policy. Use the no operator to remove this configuration. |
|
ssh |
Activates SSH for the access policy. Use the no operator to remove this configuration. |
|
telnet |
Activates Telnet for the access policy. Use the no operator to remove this configuration. |
|
tftp |
Activates the Trivial File Transfer Protocol (TFTP) for this access policy. Use the no operator to remove this configuration. |
|
username WORD<0–30> |
Specifies the trusted host user name for remote login access. |