Define Profile Rules on SFE/SGE Managed Switches

Objective

Access profile acts as another layer of security for the switch. Access profiles can contain up to 128 rules to increase security. Each rule contains an action and a criteria. If the access method does not match the management method, the user is be blocked and cannot access the device. If the incoming packet matches the rule and the access method matches the management method, the action is performed. The objective of this document is to define profile rules on SFE/SGE Managed Switches.

Applicable Devices

• SFE/SGE Managed Switches

Software Version

• v3.0.2.0

Profile Rules

Step 1. Log in to the web configuration utility and choose Security Suite > Access Method > Profile Rules. The Profile Rules page opens:

Step 2. Choose the name of the access profile to which the rules are attached from the Access Profile Name drop-down list.

Add Profile Rule

Step 1. Click the Add button. The Add Profile Rule window appears:

Step 2. In the Supported IP Format field, click the radio button of the desired IP version.

Note: If you choose IPv6 in Step 2 then follow Step 3 else skip to Step 5.

Step 3. In the IPv6 Address Type  field, click the radio button of the desired IPv6 address type. 

• Link Local — To communicate on the same subnet.

• Global — To communicate globally.

Step 4. If the administrator click Link Local then click the radio button of the desired Link Local Interface. For example, If you choose ISATAP, it indicates that the link local interface is Intra-Site Automatic Tunnel Addressing Protocol (ISATAP ) tunnel.

Step 5. Choose the name of the access profile to which the rules are attached from the Access Profile Name drop-down list.

Step 6. In the Rule Priority field, enter a rule priority number. It should be between 1 and 65535. Rules with lower priority are checked first. If a packet matches a rule the desired action is performed.

Step 7. In the Management method field, choose a field from the drop-down list for which the rule should be defined.

• All — This will assign the rule to all the management methods.

• Telnet — Access will be either permitted or denied only to the users that meet the telnet access profile criteria.

• Secure telnet (SSH) — Access will be either permitted or denied only to the users that meet the SSH access profile criteria.

• HTTP — Access will be either permitted or denied only to the users that meet the HTTP access profile criteria.

• Secure HTTP (HTTPS) — Access will be either permitted or denied only to the users that meet the HTTPS access profile criteria.

• SNMP — Access will be either permitted or denied only to the users that meet the SNMP access profile criteria.

Step 8. In the Interface field, check the Interface check box and then click the radio button for the desired interface. The options are:

• Port — Choose port if a statistics for a single port are to be received.

• LAG — Choose LAG that contains group of ports.

• VLAN — Choose VLAN if the interface is a VLAN interface.

Step 9. The source IP address is the IP address of the computer or a website the administrator visits. In the Source IP Address field, check the Source IP Address check box  and then enter the source IP address in the given field. 

Step 10. In the Network Mask field, click the respective radio button to enter the subnet mask . It should be in the 0.0.0.0 format or in the Prefix length field, click the respective radio button and then enter the number of bits that are comprised in the source IP address prefix.

Step 11. In the Action field, choose a desired action from the drop down list.

• Permit  — If the user settings match the profile settings then the access to the switch is permitted.

• Deny  — If the user settings match the profile settings then the access to the switch is denied.

Step 12. Click Apply to save the configuration.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.

Edit Profile Rule

Step 1. Click Edit button. The Edit Profile Rule window appears:

Note: The Access Profile Name displays the profile name that is to be modified.

Step 2. In the Supported IP Format field, click the radio button of the desired IP version.

Note: If you choose IPv6 in Step 2 then follow Step 3 else skip to Step 5.

Step 3. In the IPv6 Address Type field, click the radio button of the desired IPv6 address type. 

• Link Local — To communicate on the same subnet.

• Global — To communicate globally.

Step 4. If the administrator click Link Local then click the radio button of the desired Link Local Interface. For example, If you choose ISATAP, it indicates that the link local interface is Intra-Site Automatic Tunnel Addressing Protocol (ISATAP ) tunnel.

Step 5. In the Rule Priority field, enter a rule priority number. It should be between 1 and 65535. Rules with lower priority are checked first. If a packet matches a rule the desired action is performed.

Step 6. In the Management method field, choose a field from the drop down list for which the rule should be defined.

• All — This will assign the rule to all the management methods.

• Telnet — Access will be either permitted or denied only to the users that meet the telnet access profile criteria.

• Secure telnet (SSH) — Access will be either permitted or denied only to the users that meet the SSH access profile criteria.

• HTTP — Access will be either permitted or denied only to the users that meet the HTTP access profile criteria.

• Secure HTTP (HTTPS) — Access will be either permitted or denied only to the users that meet the HTTPS access profile criteria.

• SNMP — Access will be either permitted or denied only to the users that meet the SNMP access profile criteria.

Step 7. In the Interface field, check the Interface check box and then click the radio button for the desired interface. The options are:

• Port — Choose port if a statistics for a single port are to be received.

• LAG — Choose LAG that contains group of ports.

• VLAN — Choose VLAN if the interface is a VLAN interface.

 

Step 8. The source IP address is the IP address of the computer or a website the administrator visits. In the Source IP Address field, check the Source IP Address check box  and then enter the source IP address in the given field. 

Step 9. In the Network Mask field, click the respective radio button to enter the subnet mask . It should be in the 0.0.0.0 format or in the Prefix length field, click the respective radio button and then enter the number of bits that are comprised in the source IP address prefix.

Step 10. In the Action field, choose a desired action from the drop down list.

• Permit  — If the user settings match the profile settings then the access to the switch is permitted.

• Deny  — If the user settings match the profile settings then the access to the switch is denied.

Step 11. Click Apply to save the configuration.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.

Delete Profile Rule

Step 1. Check the check box under Access Profile Name that has the saved configuration to choose the Access Rule to be removed.

Step 2. Click Delete. The action is performed and the device is updated.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.