Configure an Access Policy

Configure an access policy to control access to the switch.

About this task

You can permit network stations to access the switch or forbid network stations to access the switch.

For each service, you can also specify the level of access; for example, read-only or read-write-all.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system, denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information.

If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Create an access policy by assigning it a number:

access-policy <1-65535>
Restrict the access to a specific level:

access-policy <1-65535> access-strict
Configure access for an access policy:

access-policy <1-65535> accesslevel <ro|rwa|rw>
Configure the access policy mode, network, and precedence:

access-policy <1-65535> [mode <allow|deny>] [precedence <1-128>] [network <A.B.C.D> <A.B.C.D>]
Optional: Configure access protocols for an access policy:

access-policy <1-65535> [ftp] [http] [ssh] [telnet] [tftp]
Optional: Configure trusted access for an access policy:

access-policy <1-65535> host WORD<0–46>
Optional: Configure SNMP parameters for an access policy:

Note

If you configure an access policy for SNMPv3, you must create an SNMP group and add that group as part of the access policy configuration. For more information about how to create an SNMP group, see Create a New User Group.
- access-policy <1-65535> [snmpv3]
- access-policy <1-65535> [snmp-group WORD<1–32> <snmpv1|snmpv2c|usm>]
Enable the access policy:

access-policy <1-65535> enable
Enable access policies globally:

access-policy

Examples

Assuming no access policies exist, start with policy 3 and name the policy policy3. Add the read-write-all access level and the usm group group_example. Enable access strict, and finally, enable the policy.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#access-policy 3
Switch:1(config)#access-policy 3 name policy3
Switch:1(config)#access-policy 3 accesslevel rwa
Switch:1(config)#access-policy 3 snmp-group group_example usm
Switch:1(config)#access-policy 3 access-strict
Switch:1(config)#access-policy 3 enable

Create an SNMPv3 policy that references an existing SNMP group.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#access-policy 1
Switch:1(config)#access-policy 1 snmpv3
Switch:1(config)#access-policy 1 snmp-group Test usm

Variable Definitions

The following table defines parameters for the access-policy command.


Variable	Value
access-strict	Restrains access to criteria specified in the access policy. true—The system accepts only the currently configured access level. false—The system accepts access up to the configured level.
accesslevel `<ro\|rwa\|rw>`	Specifies the level of access if you configure the policy to allow access.
enable	Enables the access policy.
ftp	Activates or disables FTP for the specified policy. Because FTP derives its login and password from the CLI management filters, FTP works for read-write-all (rwa) and read-write (rw) access, but not for the read-only (ro) access.
host `WORD<0–46>`	For remote login access, specifies the trusted host address as an IP address. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration.
http	Activates the HTTP and HTTPS for this access policy.
mode `<allow\|deny>`	Specifies whether the designated network address is allowed access to the system through the specified access service. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match, the system denies the connection. With the access policy mode configured to deny, the system does not check accesslevel and access-strict information. If you configure the access policy mode to allow, the system continues to check the accesslevel and access-strict information.
name WORD<0-15>	Specifies the access policy name.
network <A.B.C.D> <A.B.C.D>	Specifies the IP address and subnet mask for IPv4, or the IP address and prefix for IPv6, that can access the system through the specified access service. The switch supports access-policies over IPv4 and IPv6 with no difference in functionality or configuration.
precedence `<1-128>`	Specifies a precedence value for a policy, expressed as a number from 1–128. The precedence value determines which policy the system uses if multiple policies apply. Lower numbers take higher precedence. The default value is 10.
snmp-group `WORD<1–32>` <snmpv1\|snmpv2c\|usm>	Adds an SNMP version 3 group under the access policy. `WORD<1–32>` is the SNMP version 3 group name consisting of 1–32 characters. <snmpv1\|snmpv2c\|usm> is the security model; either snmpv1, snmpv2c, or usm.
snmpv3	Activates SNMP version 3 for the access policy.
ssh	Activates SSH for the access policy.
telnet	Activates Telnet for the access policy. Use the no operator to remove this configuration.
tftp	Activates the Trivial File Transfer Protocol (TFTP) for this access policy.