restrict-access
Restricts management access to a set of hosts or subnets
Restricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.
Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.
Supported in the following platforms:
- Access Points — AP310i/e, AP410i/e, AP460i/e, AP560i/h,
AP510i/e, AP505i, AP7522, AP7532, AP7562, AP7612, AP7632, AP7662, AP8432, AP8533
- Service Platforms
— NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
restrict-access [host|ip-access-list|subnet]
restrict-access host <IP> {log|subnet}
restrict-access host <IP> {log [all|denied-only]}
restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}
restrict-access ip-access-list <IP-ACCESS-LIST-NAME>
restrict-access subnet <IP/M> {host|log}
restrict-access subnet <IP/M> {log [all|denied-only]}
restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}
Parameters
restrict-access host <IP> {log [all|denied-only]}
host <IP> |
Restricts management access to a specified host. Filters access requests
based on a host's IP address
- <IP> – Specify
the host's IPv4 address.
|
log [all|denied-only] |
Optional. Configures a logging policy for access requests.
- all – Logs all access
requests, both denied and permitted
- denied-only – Logs
only denied access (when an access request is received from a host
denied access, a record is logged)
|
restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}
host <IP> |
Restricts management access to a specified host. Filters access requests
based on a host's IP address
- <IP> – Specify
the host's IPv4 address.
|
subnet <IP/M> |
Optional. Restricts access on a specified subnet
- <IP/M> – Sets
the subnet in the A.B.C.D/M format
|
log [all|denied-only] |
Optional. Configures a logging policy for access requests. Sets the log
type generated for access requests
- all – Logs all access
requests, both denied and permitted
- denied-only – Logs
only denied access (when an access request is received from a host
denied access, a record is logged)
|
restrict-access ip-access-list <IP-ACCESS-LIST-NAME>
ip-access-list |
Uses an IPv4 access list to filter access requests IPv4 ACLs
filter/mark packets based on the IPv4 address from which they arrive. IP
and non-IP traffic, on the same layer 2 interface, can be filtered by
applying an IPv4 ACL. Each IPv4 ACL contains a set of deny and/or permit
rules. Each rule is specific to source and destination IPv4 addresses and
the unique rules and precedence definitions assigned. When the network
traffic matches the criteria specified in one of these rules, the action
defined in that rule is used to determine whether the traffic is allowed
or denied.
|
<IP-ACCESS-LIST- NAME> |
Specify the IPv4 ACL name. |
restrict-access subnet <IP/M> {<IP/M>|log [all|denied-only]}
subnet <IP/M> |
Restricts management access to a specified subnet
- <IP/M> – Specify
the subnet in the A.B.C.D/M format
|
log [all|denied-only] |
Optional. Configures a logging policy for access requests. Sets the log
type generated for access requests
- all – Logs all access
requests, both denied and permitted
- denied-only – Logs
only denied access events (when access request received from a host
within the specified subnet is denied)
|
restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}
subnet <IP/M> |
Restricts management access to a specified subnet
- <IP/M> – Specify
the subnet in the A.B.C.D/M format
|
host <IP> |
Uses the host IP address as a second filter
- <IP> – Specify
the host's IPv4 address.
|
log [all|denied-only] |
Optional. Configures a logging policy for access requests. Sets the log
type generated for access requests
- all – Logs all access
requests, both denied and permitted
- denied-only – Logs
only denied access events (when access request received from a host
within the specified subnet is denied)
|
Examples
nx9500-6C8809(config-management-policy-test)#restrict-access host 172.16.10.4 log denied-only
nx9500-6C8809(config-management-policy-test)#show context
management-policy test
no http server
https server
ftp username superuser password 1 626b4033263d6d2ae4e79c48cdfcccb60fd4c77a8da9e365060597a6d6570ec2 rootdir dir
no ssh
aaa-login radius external
aaa-login radius policy test
idle-session-timeout 0
restrict-access host 172.16.10.4 log denied-only
nx9500-6C8809(config-management-policy-test)#
Related Commands
no
|
Removes device access restrictions |