Service ACLs
Fixed Switch Configuration Guide 26-17
Restricting Management Access to the Console Port
You can restrict access to system management to the switch’s serial port only. This is done using
the set system service-class console-only command. When console-only access is configured, all
TCP SYN packets and UDP packets are dropped, with the exception of UDP packets sent to the
DHCP Server or DHCP Client ports. Attempting to map a router ACL to a host service will fail.
Configuring a Service Access Control List
Use the set system service-acl command to configure a service access control list. Each rule should
have a unique priority. New rules without a priority will be entered at the end of the service ACL.
Use the set system access-class command to choose the active service-acl. The active management
list can't be updated or removed.
A service ACL has an implicit deny all rule at the end. If you want to allow access by a network
server that is not covered by the specific services listed with the service parameter, such as a
network NTP/SNTP server, you can add a permit rule for the IP address of that server.
Procedure 26-5 lists the commands used to create a service ACL and apply it to the switch. Refer
to the CLI Reference for your platform for more information about these commands.
The following example adds two rules to allow remote management for all host services through
ports ge.1.1 and ge.1.2. A third rule permits traffic from the SNTP network server with IP address
10.10.22.2.
Since no priority is specified, the rules will be added in the order in which they entered. Then a
rule is added that denies SSH access from source IPv4 address 192.168.10.10 and sets the priority
of the rule to 1. The contents of the service ACL is then displayed, and it is activated on the switch.
C5(su)->set system service-acl my-sacl permit port ge.1.1
C5(su)->set system service-acl my-sacl permit port ge.1.2
C5(su)->set system service-acl my-sacl permit ip-source 10.10.22.2 port 123
C5(su)->set system service-acl my-sacl deny service ssh ip-source 192.168.10.10
priority 1
C5(su)->show system service-acl
my-sacl
Procedure 26-5 Configuring a Service ACL
Step Task Command(s)
1. Create and add rules to a service access control
list. Only a single list is allowed in the system
with a maximum of 64 rules.
Use the clear system service-acl command to
remove a service ACL.
set system service-acl name
{permit | deny}
[ip-source ip-addr [wildcard bits]
| ipv6-source ipv6-addr [wildcard
/prefix-length]]
[port port-string | vlan vlan-id]
[service service]
[priority priority-value]
2. Activate a service ACL on the switch, or restrict
management access to the console port.
set system service-class {name |
console-only}
3. De-activate a service ACL or remove the
restriction of management to the console port.
clear system service-class
4. Display the contents of the service ACL
configured on the switch.
show system service-acl [name]
5. Display the current system service ACL status. show system service-class
To Next Page
Loading...
Need help?
General