restrict-access

Restricts management access to a set of hosts or subnets

Restricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.

Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

restrict-access [host|ip-access-list|subnet]
restrict-access host <IP> {log|subnet}
restrict-access host <IP> {log [all|denied-only]}
restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}
restrict-access ip-access-list <IP-ACCESS-LIST-NAME>
restrict-access subnet <IP/M> {host|log}
restrict-access subnet <IP/M> {log [all|denied-only]}
restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}

Parameters

restrict-access host <IP> {log [all|denied-only]}

host <IP>

Restricts management access to a specified host. Filters access requests based on a host's IP address

  • <IP> – Specify the host's IPv4 address.

log [all|denied-only]

Optional. Configures a logging policy for access requests.

  • all – Logs all access requests, both denied and permitted

  • denied-only – Logs only denied access (when an access request is received from a host denied access, a record is logged)

restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}

host <IP>

Restricts management access to a specified host. Filters access requests based on a host's IP address

  • <IP> – Specify the host's IPv4 address.

subnet <IP/M>

Optional. Restricts access on a specified subnet

  • <IP/M> – Sets the subnet in the A.B.C.D/M format

log [all|denied-only]

Optional. Configures a logging policy for access requests. Sets the log type generated for access requests

  • all – Logs all access requests, both denied and permitted

  • denied-only – Logs only denied access (when an access request is received from a host denied access, a record is logged)

restrict-access ip-access-list <IP-ACCESS-LIST-NAME>

ip-access-list

Uses an IPv4 access list to filter access requests

IPv4 ACLs filter/mark packets based on the IPv4 address from which they arrive. IP and non-IP traffic, on the same layer 2 interface, can be filtered by applying an IPv4 ACL. Each IPv4 ACL contains a set of deny and/or permit rules. Each rule is specific to source and destination IPv4 addresses and the unique rules and precedence definitions assigned. When the network traffic matches the criteria specified in one of these rules, the action defined in that rule is used to determine whether the traffic is allowed or denied.

<IP-ACCESS-LIST- NAME>

Specify the IPv4 ACL name.

restrict-access subnet <IP/M> {<IP/M>|log [all|denied-only]}

subnet <IP/M>

Restricts management access to a specified subnet

  • <IP/M> – Specify the subnet in the A.B.C.D/M format

log [all|denied-only]

Optional. Configures a logging policy for access requests. Sets the log type generated for access requests

  • all – Logs all access requests, both denied and permitted

  • denied-only – Logs only denied access events (when access request received from a host within the specified subnet is denied)

restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}

subnet <IP/M>

Restricts management access to a specified subnet

  • <IP/M> – Specify the subnet in the A.B.C.D/M format

host <IP>

Uses the host IP address as a second filter

  • <IP> – Specify the host's IPv4 address.

log [all|denied-only]

Optional. Configures a logging policy for access requests. Sets the log type generated for access requests

  • all – Logs all access requests, both denied and permitted

  • denied-only – Logs only denied access events (when access request received from a host within the specified subnet is denied)

Examples

rfs4000-6DB5D4(config-management-policy-test)#restrict-access host 172.16.10.4 log denied-only
rfs4000-6DB5D4(config-management-policy-test)#show context
management-policy test
 no http server
 https server
 ftp username superuser password 1 626b4033263d6d2ae4e79c48cdfcccb60fd4c77a8da9e365060597a6d6570ec2 rootdir dir
 no ssh
 aaa-login radius external
 aaa-login radius policy test
 idle-session-timeout 0
 restrict-access host 172.16.10.4 log denied-only
rfs4000-6DB5D4(config-management-policy-test)#

Related Commands

no

Removes device access restrictions