Configuration Guide 4. Management Access Lists
Version 7.2 17 Security Setup
4 Management Access Lists
When an access list is created for management using the protocols SNMP, Telnet, SSH or
CWMP, it is possible to use DNS names instead of IP or IPv6 addresses. The device resolves
the name to an IP address and acts upon the ACL rules. If the DNS resolution fails within
one second, the device denies this connection.
4.1 Configuration Example
This example shows how to use access lists to permit or deny DNS hostnames through a
WAN interface. In the example, the Telnet connection configured in the access list has the
hostname “telnet_mgmt” (Telnet management workstation). This host permits access to
“mgmt_ws” (any management IP address of the device).
configure data
access-list telnet_mgmt permit ip host mgmt_ws local log
access-list telnet_mgmt deny ip any any log
Configure the ACL for the Telnet connection:
configure system
cli-terminal
wan-telnet-allow on
set telnet-acl "telnet_mgmt"
activate
exit
In the example below, the DNS name resolves locally on the device using the following
command:
ip host mgmt_ws 10.1.1.44 3600
In other environments, an external DNS server can be used. To configure an external DNS,
use the following command:
ip name-server <DNS Server IP address>
To verify the ACL, run two Telnet commands, once from mgmt_ws and once from a different
location. Use the command show data access-lists. The counter should be
incremented once for the mgmt_ws interface and once for the telnet_mgmt interface.
# sh d access-lists
Extended IP access list telnet_mgmt
telnet_mgmt 10 permit ip host mgmt_ws local log (1 matches)
telnet_mgmt 20 deny ip any any log (1 matches)
To Next Page
Loading...
