502 | Security
www.dell.com | support.dell.com
Figure 28-17. Example Access Class Configuration Using TACACS+ Without Prompt
VTY MAC-SA Filter Support
FTOS supports MAC access lists which permit or deny users based on their source MAC address. With
this approach, you can implement a security policy based on the source MAC address.
To apply a MAC ACL on a VTY line, use the same
access-class command as IP ACLs (Figure 28-18).
Figure 28-18 shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login
prompt.
Figure 28-18. Example Access Class Configuration Using TACACS+ Without Prompt
FTOS(conf)#ip access-list standard deny10
FTOS(conf-ext-nacl)#permit 10.0.0.0/8
FTOS(conf-ext-nacl)#deny any
FTOS(conf)#
FTOS(conf)#aaa authentication login tacacsmethod tacacs+
FTOS(conf)#tacacs-server host 256.1.1.2 key FTOS
FTOS(conf)#
FTOS(conf)#line vty 0 9
FTOS(conf-line-vty)#login authentication tacacsmethod
FTOS(conf-line-vty)#
FTOS(conf-line-vty)#access-class deny10
FTOS(conf-line-vty)#end
(same applies for radius and line authentication)
FTOS(conf)#mac access-list standard sourcemac
FTOS(conf-std-mac)#permit 00:00:5e:00:01:01
FTOS(conf-std-mac)#deny any
FTOS(conf)#
FTOS(conf)#line vty 0 9
FTOS(conf-line-vty)#access-class sourcemac
FTOS(conf-line-vty)#end
To Next Page
Loading...
