Create an Access Policy

About this task

Create an access policy to control access to the switch. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SNMP, HTTP, and SSH.

You can allow network stations to access the switch or forbid network stations to access the switch. For each service, you can also specify the level of access, such as read-only or read-write-all.

HTTP and HTTPS support IPv4 and IPv6 addresses.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.

Important

Important

EDM does not provide SNMPv3 support for an access policy. If you modify an access policy with EDM, SNMPV3 is disabled.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select Access Policies.
  3. Select the Access Policies tab.
  4. Select Insert.
  5. In ID, type the policy ID.
  6. In Name, type the policy name.
  7. Select PolicyEnable.
  8. Select the Mode option to allow or deny a service.
  9. From the Service options, select a service.
  10. In Precedence, type a precedence number for the service (lower numbers mean higher precedence).
  11. Select the NetInetAddrType.
  12. In NetInetAddress, type an IP address.
  13. In NetInetAddrPrefixLen, type the prefix length.
  14. Select an AccessLevel for the service.
  15. Select AccessStrict, if required.
    Important

    Important

    If you select AccessStrict, you specify that a user must use an access level identical to the one you select.

  16. Select Insert.

Access Policies Field Descriptions

Use the data in the following table to use the Access Policies tab.

Name

Description

Id

Specifies the policy ID.

Name

Specifies the name of the policy.

PolicyEnable

Activates the access policy. The default is enabled.

Mode

Indicates whether a packet with a source IP address matching this entry is permitted to enter the device or is denied access. The default is allow.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.

Service

Indicates the protocol to which this entry applies. The default is no service enabled.

Precedence

Indicates the precedence of the policy expressed in a range from 1–128. The lower the number, the higher the precedence. The default is 10.

NetInetAddrType

Indicates the source network Internet address type as one of the following.

  • any

  • IPv4

  • IPv6

IPv4 is expressed in the format a.b.c.d. Express IPv6 in the format x:x:x:x:x:x:x:x.

NetInetAddress

Indicates the source network Inet address (prefix/network). If the address type is IPv4, you must enter an IPv4 address and its mask length. If the type is IPv6, you must enter an IPv6 address. You do not need to provide this information if you select the NetInetAddrType of any.

NetInetAddrPrefixLen

Indicates the source network Inet address prefix-length/mask. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. You do not need to provide this information if you select the NetInetAddrType of any.

TrustedHostInetAddress

Note:

Exception: rlogin and rsh are only supported on VSP 8600 Series.

Indicates the trusted address of a host performing a login to the device. You do not need to provide this information if you select the NetInetAddrType of any.

Important:

You cannot use wildcard entries in TrustedHostInetAddress.

If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length.

AccessLevel

Specifies the access level of the trusted host as one of the following:

  • readOnly

  • readWrite

  • readWriteAll

The default is readOnly.

Usage

Counts the number of times this access policy applies.

AccessStrict

Activates or disables strict access criteria for remote users.

If selected, a user must use an access level identical to the one you selected in the dialog box to use this service.

  • selected (true): The system accepts only the currently configured access level.

  • cleared (false): The system accepts access up to the configured level.

Note:

If you configure Mode to allow, the system checks AccessStrict information. If you configure Mode to deny, the system does not check AccessStrict information.

Important:

If you do not select true or false, user access is governed by criteria specified in the policy table. For example, a user with an rw access level specified for a policy ID in the policy table is granted rw access, and ro is denied access.

The default is false (cleared).