It may be desirable to allow a specific IP subnet range to gain access to inband management.
Your options are to apply an ACL (if routing to the management IP), or to apply a Policy constraint (if either switching or routing to the management IP).
With security concerns, it is wise to disable the less secure inband management methods:
The default SNMPv1 should be swapped to the more secure SNMPv3 (5086).
This leaves only SSH to be addressed.
Applying an Advanced ACL
If the host IP is in a different subnet from that of the attacker, an Access Control List against SSH port 22 should do the trick, affecting all traffic routed through the DFE system. Note that Use of Advanced ACLs requires purchase and installation of an Advanced Routing License key (5025).
Here is an example of such an ACL. Matrix(rw)->router 1
Matrix(rw)->Router1(config)#access-list 101 deny udp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 deny tcp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 permit udp any any
Matrix(rw)->Router1(config)#access-list 101 permit tcp any any
Matrix(rw)->Router1(config)#interface vlan 1
Matrix(rw)->Router1(config-if(Vlan 1))#ip access-group 101 in
In the above example it is applied as an input ACL to VLAN 1. Applied to each of your interfaces except the one from which you want to manage, it should kill all SSH activity on those interfaces but leave everything else unimpacted.
If the DFE is switching only, but the IP structure of the DFE-traversing traffic is simple enough and you have no 802.1Q Trunks on the DFE, you can make all of the network ports a part of one large IP subnet (from the DFE's perspective) and isolate the DFE host into its own 32-bit subnet. Then, all DFE management traffic would be routed, and again an ACL would do what you want.
Another option is to use Policy.
Here is a Policy configuration that is assigned to any traffic, VLAN-tagged or not, which is addressed to any of the specified protected hosts or subnets (any number of '
The simplest method of implementation is to set up one policy which references all destination IP addresses or subnets on your network which should be protected against management-type intrusions, and references all source IP addresses or subnets which are allowed to manage them; and then apply that same policy to all DFEs within your network.
You may integrate lines 3-11 of this policy into NetSight Policy Manager (5461) and your existing policy structure, or more simply just append lines 1-11 onto each DFE configuration using the '
[Delete existing policy profile #1]
clear policy all-rules
[Delete any existing policy rules]
set policy profile 1 name protect_host
set policy rule 1 ipsourcesocket <Source_IP_host_to_permit> mask 32 forward syslog enable
set policy rule 1 tcpdestportip 22 mask 16 drop
[Deny SSH to unPermitted sources]
set policy rule 1 tcpdestportip 23 mask 16 drop
[Deny Telnet to unPermitted sources]
set policy rule 1 tcpdestportip 80 mask 16 drop
[Deny HTTP/WebView to unPermitted sources]
set policy rule 1 udpdestportip 161 mask 16 drop
[Deny SNMP to unPermitted sources]
set policy rule 1 udpdestportip 162 mask 16 drop
[Deny SNMP Traps to unPermitted sources]
set policy rule 1 tcpdestportip 443 mask 16 drop
[Deny HTTPS/SSL to unPermitted sources]
set policy rule admin-profile ipdestsocket <Destination_IP_host_to_protect> mask 32 admin-pid 1[/code]
The Configuration Guide contains further background on the commands used here.