Create an Access Policy

About this task

Create an access policy to control access to the switch. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SNMP, HTTP, SSH, and rlogin.

Note

Note

Rlogin is only supported on VSP 8600 Series.

You can allow network stations access the switch or forbid network stations to access the switch. For each service, you can also specify the level of access, such as read-only or read-write-all.

HTTP and HTTPS support IPv4 and IPv6 addresses.

Important

Important

EDM does not provide SNMPv3 support for an access policy. If you modify an access policy with EDM, SNMPV3 is disabled.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select Access Policies.
  3. Select the Access Policies tab.
  4. Select Insert.
  5. In ID, type the policy ID.
  6. In Name, type the policy name.
  7. Select PolicyEnable.
  8. Select the Mode option to allow or deny a service.

    If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.

  9. From the Service options, select a service.
  10. In Precedence, type a precedence number for the service (lower numbers mean higher precedence).
  11. Select the NetInetAddrType.
  12. In NetInetAddress, type an IP address.
  13. In NetInetAddrPrefixLen, type the prefix length.
  14. In TrustedHostInet Address, type an IP address for the trusted host.
  15. In TrustedHostUserName, type a user name for the trusted host.
  16. Select an AccessLevel for the service.
  17. Select AccessStrict, if required.
    Important

    Important

    If you select AccessStrict, you specify that a user must use an access level identical to the one you select.

  18. Select Insert.

Access Policies Field Descriptions

Use the data in the following table to use the Access Policies tab.

Name

Description

Id

Specifies the policy ID.

Name

Specifies the name of the policy.

PolicyEnable

Activates the access policy. The default is enabled.

Mode

Indicates whether a packet with a source IP address matching this entry is permitted to enter the device or is denied access. The default is allow.

If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information.

Service

Indicates the protocol to which this entry applies. The default is no service enabled.

Precedence

Indicates the precedence of the policy expressed in a range from 1–128. The lower the number, the higher the precedence. The default is 10.

NetInetAddrType

Indicates the source network Internet address type as one of the following.

  • any

  • IPv4

  • IPv6

IPv4 is expressed in the format a.b.c.d. Express IPv6 in the format x:x:x:x:x:x:x:x.

NetInetAddress

Indicates the source network Inet address (prefix/network). If the address type is IPv4, you must enter an IPv4 address and its mask length.You do not need to provide this information if you select the NetInetAddrType of any. If the type is IPv6, you must enter an IPv6 address. You do not need to provide this information if you select the NetInetAddrType of any.

NetInetAddrPrefixLen

Indicates the source network Inet address prefix-length/mask. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. You do not need to provide this information if you select the NetInetAddrType of any.

TrustedHostInetAddr

Note:

Exception: rlogin and rsh are only supported on VSP 8600 Series.

Indicates the trusted Inet address of a host performing a remote login to the device. You do not need to provide this information if you select the NetInetAddrType of any. TrustedHostInetAddr applies only to rlogin and rsh.

Important:

You cannot use wildcard entries in the TrustedHostInetAddr field.

If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length.

TrustedHostUserName

Note:

Exception: rlogin and rsh are only supported on VSP 8600 Series.

Specifies the user name assigned to the trusted host. The trusted host name applies only to rlogin and rsh. Ensure that the trusted host user name is the same as your network logon user name; do not use the switch user name, for example, rwa.

Important:

You cannot use wildcard entries. The user must already be logged in with the user name to be assigned to the trusted host. For example, using "rlogin -l newusername xx.xx.xx.xx" does not work from a UNIX workstation.

AccessLevel

Specifies the access level of the trusted host as one of the following:

  • readOnly

  • readWrite

  • readWriteAll

The default is readOnly.

Usage

Counts the number of times this access policy applies.

AccessStrict

Activates or disables strict access criteria for remote users.

If selected, a user must use an access level identical to the one you selected in the dialog box to use this service.

  • selected: remote login users can use only the currently configured access level

  • cleared: remote users can use all access levels

Note:

If Mode is configured as allow the system checks AccessStrict information. If Mode is configured as deny, the system does not check AccessStrict information.

Important:

If you do not select true or false, user access is governed by criteria specified in the policy table. For example, a user with an rw access level specified for a policy ID in the policy table is allowed rw access, and ro is denied access.

The default is false (cleared).