Configure an Access Policy
Configure an access policy to control access to the switch.
About this task
You can permit network stations to access the switch or forbid network stations to access the switch.
For each service, you can also specify the level of access; for example, read-only or read-write-all.
If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system, denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information.
If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information.
Procedure
Examples
Assuming no access policies exist, start with policy 3 and name the policy policy3. Add the read-write-all access level and the usm group group_example. Enable access strict, and finally, enable the policy.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#access-policy 3 Switch:1(config)#access-policy 3 name policy3 Switch:1(config)#access-policy 3 accesslevel rwa Switch:1(config)#access-policy 3 snmp-group group_example usm Switch:1(config)#access-policy 3 access-strict Switch:1(config)#access-policy 3 enable
Create an SNMPv3 policy that references an existing SNMP group.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#access-policy 1 Switch:1(config)#access-policy 1 snmpv3 Switch:1(config)#access-policy 1 snmp-group Test usm
Variable Definitions
The following table defines parameters for the access-policy command.
Variable |
Value |
---|---|
access-strict |
Restrains access to criteria specified in the access policy.
|
accesslevel <ro|rwa|rw> |
Specifies the level of access if you configure the policy to allow access. |
enable |
Enables the access policy. |
ftp |
Activates or disables FTP for the specified policy. Because FTP derives its login and password from the CLI management filters, FTP works for read-write-all (rwa) and read-write (rw) access, but not for the read-only (ro) access. |
host WORD<0–46> |
For remote login access, specifies the trusted host address as an IP address. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration. |
http |
Activates the HTTP and HTTPS for this access policy. |
mode <allow|deny> |
Specifies whether the designated network address is allowed access to the system through the specified access service. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match, the system denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information. If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information. |
name WORD<0-15> |
Specifies the access policy name. |
network <A.B.C.D> <A.B.C.D> |
Specifies the IP address and subnet mask for IPv4, or the IP address and prefix for IPv6, that can access the system through the specified access service. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration. |
precedence <1-128> |
Specifies a precedence value for a policy, expressed as a number from 1–128. The precedence value determines which policy the system uses if multiple policies apply. Lower numbers take higher precedence. The default value is 10. |
snmp-group WORD<1–32> <snmpv1|snmpv2c|usm> |
Adds an SNMP version 3 group under the access policy. WORD<1–32> is the SNMP version 3 group name consisting of 1–32 characters. <snmpv1|snmpv2c|usm> is the security model; either snmpv1, snmpv2c, or usm. |
snmpv3 |
Activates SNMP version 3 for the access policy. |
ssh |
Activates SSH for the access policy. |
telnet |
Activates Telnet for the access policy. Use the no operator to remove this configuration. |
tftp |
Activates the Trivial File Transfer Protocol (TFTP) for this access policy. |