Create an Access Policy
About this task
Create an access policy to control access to the switch. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SNMP, HTTP, and SSH.
You can allow network stations to access the switch or forbid network stations to access the switch. For each service, you can also specify the level of access, such as read-only or read-write-all.
HTTP and HTTPS support IPv4 and IPv6 addresses.
If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.
Important
EDM does not provide SNMPv3 support for an access policy. If you modify an access policy with EDM, SNMPV3 is disabled.
Procedure
Access Policies Field Descriptions
Use the data in the following table to use the Access Policies tab.
Name |
Description |
---|---|
Id |
Specifies the policy ID. |
Name |
Specifies the name of the policy. |
PolicyEnable |
Activates the access policy. The default is enabled. |
Mode |
Indicates whether a packet with a source IP address matching this entry is permitted to enter the device or is denied access. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information. |
Service |
Indicates the protocol to which this entry applies. The default is no service enabled. |
Precedence |
Indicates the precedence of the policy expressed in a range from 1–128. The lower the number, the higher the precedence. The default is 10. |
NetInetAddrType |
Indicates the source network Internet address type as one of the following.
IPv4 is expressed in the format a.b.c.d. Express IPv6 in the format x:x:x:x:x:x:x:x. |
NetInetAddress |
Indicates the source network Inet address (prefix/network). If the address type is IPv4, you must enter an IPv4 address and its mask length. If the type is IPv6, you must enter an IPv6 address. You do not need to provide this information if you select the NetInetAddrType of any. |
NetInetAddrPrefixLen |
Indicates the source network Inet address prefix-length/mask. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. You do not need to provide this information if you select the NetInetAddrType of any. |
TrustedHostInetAddress Note:
Exception: rlogin and rsh are only supported on VSP 8600 Series. |
Indicates the trusted address of a host performing a login to the device. You do not need to provide this information if you select the NetInetAddrType of any. Important:
You cannot use wildcard entries in TrustedHostInetAddress. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. |
AccessLevel |
Specifies the access level of the trusted host as one of the following:
The default is readOnly. |
Usage |
Counts the number of times this access policy applies. |
AccessStrict |
Activates or disables strict access criteria for remote users. If selected, a user must use an access level identical to the one you selected in the dialog box to use this service.
Note:
If you configure Mode to allow, the system checks AccessStrict information. If you configure Mode to deny, the system does not check AccessStrict information. Important:
If you do not select true or false, user access is governed by criteria specified in the policy table. For example, a user with an rw access level specified for a policy ID in the policy table is granted rw access, and ro is denied access. The default is false (cleared). |