Create an Access Policy

About this task

Create an access policy to control access to the switch. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SNMP, HTTP, SSH, and rlogin.

Note

Rlogin is only supported on VSP 8600 Series.

You can allow network stations to access the switch or forbid network stations to access the switch. For each service, you can also specify the level of access, such as read-only or read-write-all.

HTTP and HTTPS support IPv4 and IPv6 addresses.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.

Important

EDM does not provide SNMPv3 support for an access policy. If you modify an access policy with EDM, SNMPV3 is disabled.

Procedure

In the navigation pane, expand Configuration > Security > Control Path.
Select Access Policies.
Select the Access Policies tab.
Select Insert.
In ID, type the policy ID.
In Name, type the policy name.
Select PolicyEnable.
Select the Mode option to allow or deny a service.
From the Service options, select a service.
In Precedence, type a precedence number for the service (lower numbers mean higher precedence).
Select the NetInetAddrType.
In NetInetAddress, type an IP address.
In NetInetAddrPrefixLen, type the prefix length.
In TrustedHostInet Address, type an IP address for the trusted host.
In TrustedHostUserName, type a user name for the trusted host.
Select an AccessLevel for the service.
Select AccessStrict, if required.

Important

If you select AccessStrict, you specify that a user must use an access level identical to the one you select.
Select Insert.

Access Policies Field Descriptions

Use the data in the following table to use the Access Policies tab.


Name	Description
Id	Specifies the policy ID.
Name	Specifies the name of the policy.
PolicyEnable	Activates the access policy. The default is enabled.
Mode	Indicates whether a packet with a source IP address matching this entry is permitted to enter the device or is denied access. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.
Service	Indicates the protocol to which this entry applies. The default is no service enabled.
Precedence	Indicates the precedence of the policy expressed in a range from 1–128. The lower the number, the higher the precedence. The default is 10.
NetInetAddrType	Indicates the source network Internet address type as one of the following. any IPv4 IPv6 IPv4 is expressed in the format a.b.c.d. Express IPv6 in the format x:x:x:x:x:x:x:x.
NetInetAddress	Indicates the source network Inet address (prefix/network). If the address type is IPv4, you must enter an IPv4 address and its mask length.You do not need to provide this information if you select the NetInetAddrType of any. If the type is IPv6, you must enter an IPv6 address. You do not need to provide this information if you select the NetInetAddrType of any.
NetInetAddrPrefixLen	Indicates the source network Inet address prefix-length/mask. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. You do not need to provide this information if you select the NetInetAddrType of any.
TrustedHostInetAddr Note: Exception: rlogin and rsh are only supported on VSP 8600 Series.	Indicates the trusted Inet address of a host performing a remote login to the device. You do not need to provide this information if you select the NetInetAddrType of any. TrustedHostInetAddr applies only to rlogin and rsh. Important: You cannot use wildcard entries in the TrustedHostInetAddr field. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length.
TrustedHostUserName Note: Exception: rlogin and rsh are only supported on VSP 8600 Series.	Specifies the user name assigned to the trusted host. The trusted host name applies only to rlogin and rsh. Ensure that the trusted host user name is the same as your network logon user name; do not use the switch user name, for example, rwa. Important: You cannot use wildcard entries. The user must already be logged in with the user name to be assigned to the trusted host. For example, using "rlogin -l newusername xx.xx.xx.xx" does not work from a UNIX workstation.
AccessLevel	Specifies the access level of the trusted host as one of the following: readOnly readWrite readWriteAll The default is readOnly.
Usage	Counts the number of times this access policy applies.
AccessStrict	Activates or disables strict access criteria for remote users. If selected, a user must use an access level identical to the one you selected in the dialog box to use this service. selected: remote login users can use only the currently configured access level cleared: remote users can use all access levels Note: If Mode is configured as allow the system checks AccessStrict information. If Mode is configured as deny, the system does not check AccessStrict information. Important: If you do not select true or false, user access is governed by criteria specified in the policy table. For example, a user with an rw access level specified for a policy ID in the policy table is allowed rw access, and ro is denied access. The default is false (cleared).