2. Management Access Control
• For security reasons, it is required to allow only a selected
and predefined group of users to be allowed to perform
system management.
• Rules act as filters for determining device management
access based on:
– Type of management application
– Interface type and selection
– Source IP address and network mask
• Users can be denied or permitted management access.
• This way network managers can control who is allowed to
manage the networking devices
5. Management Access Control List
(MACL).
• Management Access Control Lists (MACL) contain rules
which determine device access via:
– ( ASCII terminal )
– Telnet (CLI over Telnet)
– SSH (CLI over Secure Shell)
– EWS (http or https using SSL).
– SNMP
• MACL can limit access to users identified by:
– Ingress interface (Ethernet, port channel or VLAN)
– Source IP address
– Source IP subent (using a mask)
6. MACL – User Control
• The management access can be set separately to each type of
management
(set of allowed users for telnet may be different than those of EWS etc)
• The max number of MACL rules is 256 (all criteria)
• A specific management access method may be completely disabled by
denying all user access to that Management type
• By default all management access to the system is Enabled over all
interfaces .
• A specific command exists to enable only Console management
• Management access via the system serial console is always enabled
8. CLI - Management Access Control List
(MACL)
• Use the following Global Configuration Mode command to defines
an access-list for a management access control list (MACL), and
enters the access-list context for configuration.
Use the “no” form of command to remove an MACL:
management access-list name
no management access-list name
9. CLI – MACL rules (permit)
• Use the following MACL Configuration mode command(s) to define
an MACL rule – permitting a management service:
permit [ethernet interface-number | vlan vlan-id | port-channel number]
[service service]
permit ip-source ip-address [mask mask | prefix-length] [ethernet interface-
number | vlan vlan-id | port-channel number] [service service]
10. CLI – MACL rules (permit)
Notes:
1) If no service is defined in the rule – it applies to all services
2) If no interface is defined – rule applies to all interfaces
3) Use “permit” without any parameters to permit all access
4) Default rule (if no match is found) – is to deny access
11. CLI – MACL rules (deny)
• Use the following MACL Configuration mode command(s) to define an
MACL rule – denying a management service:
deny [ethernet interface-number | vlan vlan-id | port-channel number] [service
service]
deny ip-source ip-address [mask mask | prefix-length] [ethernet interface-number
| vlan vlan-id | port-channel number] [service service]
12. CLI – Management Access Class
• Use the following Global Configuration Mode command to
define which access-list is used as the activate
management connections .
Use the “no” form of the command to disable the MACL:
management access-class {console-only | name}
no management access-class
Note:
Only 1 Access-class can be defined on a device. Definition of an
additional class will cancel the first.
13. CLI Example – MACL
• Defining and applying an MACL(Secure):
– Denying telnet access from port 1/e10
– Denying http from vlan 2 and ip-source 10.1.1.1/32
– Permitting all other accesses
– Applying the MACL to the device
console(config)# management access-list Secure
console(config-macl)# deny ethernet 1/e10 service telnet
console(config-macl)# deny ip-source 10.1.1.1 mask /32 vlan 2 service http
console(config-macl)# permit
console(config-macl)# exit
console(config)# management access-class Secure
14. CLI - Show Management Access
• Use the following EXEC mode command to display
Management access lists:
show management access-list [name]
• Use the following EXEC Mode command to display
information about the active management access-class:
show management access-class
15. CLI Example - Show MACL
console # show management access-class
Management access-class is enabled, using access-list Secure
console # show management access-list
Secure
-----------
deny ethernet 1/e10 service telnet
deny ip-source 10.1.1.1 vlan 2 service http
permit
! (Note: all other access implicitly denied)
console-only
------------
deny
! (Note: all other access implicitly denied)