Restrict telnet access to XOS swtich

Is it possible to restrict telnet access to XOS switch through IP addresses of some VLANs.

For example, there are 4 VLANs are created on the switch but user can telnet to the switch only with ipaddress of one of the VLANs. Can it be done with access policy? or it has to be done through ACL?


4 replies

Userlevel 6
Good morning Elmer. Yes you can restrict telnet to the switch. Full information is in the concepts guide that you can download from under support>enter extreme support center>documentation. You create a policy file but use the access-profile command to assign it. Look on page 52 of 15.4 concepts guide and let us know if you have any questions. Thanks P
Thanks, Paul. I sure that i can apply policy to restrict the access for source IP address. But what I want to confirm is to restrict the access not only for source access but also for the destination address(only one of VLAN IP address can be use for telnet or SSH, access to the others VLAN's IP address will be deny) in the policy file.


Userlevel 4
You can not use the destination address in match condition. Only source-address match is supported.

Maybe you can create the different virtual router, assign the vlan in new router and enable the telnet session for that new virtual router.
Userlevel 6
Good Morning Elmer

As Sumit said the access profile only works for source address. You can restrict access using a different VR but you then need to use an external FW or router to go between the VR.

The other idea would be to restrict using ACLs at the edge. ACLs restrict traffic through the switch profiles restrict traffic to the switch. So you should be able to set up an ACL to restrict a destination subnet to a range of IPs (if you use a certain host range as an example) by setting it up at the edge.

I will check with a customer of mine to see if this is what they did and will let you know