Create an Access Policy
About this task
Create an access policy to control access to the switch. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SNMP, HTTP, SSH, and rlogin.
Note
Rlogin is only supported on VSP 8600 Series.
You can allow network stations access the switch or forbid network stations to access the switch. For each service, you can also specify the level of access, such as read-only or read-write-all.
HTTP and HTTPS support IPv4 and IPv6 addresses.
Important
EDM does not provide SNMPv3 support for an access policy. If you modify an access policy with EDM, SNMPV3 is disabled.
Procedure
Access Policies Field Descriptions
Use the data in the following table to use the Access Policies tab.
Name |
Description |
---|---|
Id |
Specifies the policy ID. |
Name |
Specifies the name of the policy. |
PolicyEnable |
Activates the access policy. The default is enabled. |
Mode |
Indicates whether a packet with a source IP address matching this entry is permitted to enter the device or is denied access. The default is allow. If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information. |
Service |
Indicates the protocol to which this entry applies. The default is no service enabled. |
Precedence |
Indicates the precedence of the policy expressed in a range from 1–128. The lower the number, the higher the precedence. The default is 10. |
NetInetAddrType |
Indicates the source network Internet address type as one of the following.
IPv4 is expressed in the format a.b.c.d. Express IPv6 in the format x:x:x:x:x:x:x:x. |
NetInetAddress |
Indicates the source network Inet address (prefix/network). If the address type is IPv4, you must enter an IPv4 address and its mask length.You do not need to provide this information if you select the NetInetAddrType of any. If the type is IPv6, you must enter an IPv6 address. You do not need to provide this information if you select the NetInetAddrType of any. |
NetInetAddrPrefixLen |
Indicates the source network Inet address prefix-length/mask. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. You do not need to provide this information if you select the NetInetAddrType of any. |
TrustedHostInetAddr Note:
Exception: rlogin and rsh are only supported on VSP 8600 Series. |
Indicates the trusted Inet address of a host performing a remote login to the device. You do not need to provide this information if you select the NetInetAddrType of any. TrustedHostInetAddr applies only to rlogin and rsh. Important:
You cannot use wildcard entries in the TrustedHostInetAddr field. If the type is IPv4, you must enter an IPv4 address and mask length. If the type is IPv6, you must enter an IPv6 address and prefix length. |
TrustedHostUserName Note:
Exception: rlogin and rsh are only supported on VSP 8600 Series. |
Specifies the user name assigned to the trusted host. The trusted host name applies only to rlogin and rsh. Ensure that the trusted host user name is the same as your network logon user name; do not use the switch user name, for example, rwa. Important:
You cannot use wildcard entries. The user must already be logged in with the user name to be assigned to the trusted host. For example, using "rlogin -l newusername xx.xx.xx.xx" does not work from a UNIX workstation. |
AccessLevel |
Specifies the access level of the trusted host as one of the following:
The default is readOnly. |
Usage |
Counts the number of times this access policy applies. |
AccessStrict |
Activates or disables strict access criteria for remote users. If selected, a user must use an access level identical to the one you selected in the dialog box to use this service.
Note:
If Mode is configured as allow the system checks AccessStrict information. If Mode is configured as deny, the system does not check AccessStrict information. Important:
If you do not select true or false, user access is governed by criteria specified in the policy table. For example, a user with an rw access level specified for a policy ID in the policy table is allowed rw access, and ro is denied access. The default is false (cleared). |