Management ACL Commands

This chapter contains the following sections:

deny (Management)

To set the deny rules (ACEs) for the management ACL, use the deny Management Access-List Configuration mode command.

Syntax

[sequence sequence-number] deny interfaces interface-id service service

[sequence sequence-number] deny {ip ipv4-address/ipv4mask | ipv6 ipv6-address/ipv6-prefix-length} [interfaces interface-id] service service

Parameters

sequence sequence-number—(Optional) Specifies the sequence number for the ACL statement. The acceptable range is from 1 to 65535. If not specified, the switch provides a number starting from 1 in ascending order.

interfaces interface-id—(Optional) Specifies an interface ID or a list of interface IDs. The interface can be one of these types: Ethernet port or port channel.

service service—Specifies the type of service. Possible values are all, Telnet, SSH, HTTP, HTTPS, and SNMP.

ip ipv4-address/ipv4-mask—Specifies the source IPv4 address and mask address.

ipv6 ipv6-address/ipv6-prefix-length—Specifies the source IPv6 address and source IPv6 address prefix length. The prefix length must be preceded by a forward slash (/). The parameter is optional.

Default Configuration

No rules are configured.

Command Mode

Management Access-List Configuration mode

User Guidelines

The rules with Ethernet and port channel parameters are valid only if an IP address is defined on the appropriate interface.

Example

switchxxxxxx(config)# management access-list mlist
switchxxxxxx(config-macl)# deny ip 192.168.1.111/0.0.255.255 interfaces gi11 service http
switchxxxxxx(config-macl)# exit

management access-class

To restrict the management connections by defining the active management ACLs, use the management access-class Global Configuration mode command.

To disable the management connection restrictions, use the no form of this command.

Syntax

management access-class {console-only | name}

no management access-class

Parameters

console-only—Specifies that the switch can be managed only from the console.

name—The ACL name to be used.

Default Configuration

The default is no management connection restrictions.

Command Mode

Global Configuration mode

Example

The following example defines an ACL called mlist as the active management ACL:

switchxxxxxx(config)# management access-class mlist
switchxxxxxx(config-macl)# permit ip 192.168.1.111/0.0.255.255 interfaces gi9 service all
switchxxxxxx(config-macl)# permit ip 192.168.1.111/0.0.255.255 interfaces gi11 service all
switchxxxxxx(config-macl)# exit
switchxxxxxx(config)#

management access-list

To configure a management access control list (ACL) and enter the Management Access-List Configuration command mode, use the management access-list Global Configuration mode command.

To delete a management ACL, use the no form of this command.

Syntax

management access-list name

no management access-list name

Parameters

name—The ACL name.

Default Configuration

N/A

Command Mode

Global Configuration mode

User Guidelines

Use this command to configure a management ACL. This command enters the Management Access-List Configuration command mode, where the denied or permitted access conditions are defined with the deny and permit commands.

If no match criteria is defined, the default value is deny.

When reentering the ACL context, the new rules are entered at the end of the access list.

Use the management access-class command to select the active management ACLs. The active management ACLs cannot be updated or removed.

For IPv6 management traffic that is tunneled in IPv4 packets, the management ACL is applied first on the external IPv4 header (rules with the service field are ignored), and then again on the inner IPv6 header.

Example

Example 1—The following example creates a management ACL called mlist, configures fa9 and fa11 as the management interfaces, and adds the new ACL to the active ACL: 

switchxxxxxx(config)# management access-list mlist
switchxxxxxx(config-macl)# permit ip 192.168.1.111/0.0.255.255 interfaces gi9 service all
switchxxxxxx(config-macl)# permit ip 192.168.1.111/0.0.255.255 interfaces gi11 service all
switchxxxxxx(config-macl)# exit
switchxxxxxx(config)#

Example 2—The following example creates a management ACL called mlist, configures all interfaces to be management interfaces except fa9 and 11, and adds the new ACL to the active ACL: 

switchxxxxxx(config)# management access-list mlist
switchxxxxxx(config-macl)# deny ip 192.168.1.111/0.0.255.255 interfaces gi9 service all
switchxxxxxx(config-macl)# deny ip 192.168.1.111/0.0.255.255 interfaces gi11 service all
switchxxxxxx(config-macl)# exit
switchxxxxxx(config)#

no sequence (Management)

To remove a permit or deny condition (ACE) for a specific management ACL, use the no sequence Management Access List Configuration mode command.

Syntax

no sequence

Parameters

N/A

Command Mode

Management Access List Configuration mode

Example

switchxxxxxx# show management access-list
2 management  access-lists are created
console-only
------------
  sequence 1 deny interfaces fa1-24,gi1-2,po1-8 service all
  ! (Note: all other access implicitly denied)
mgmtacl1
--------
  sequence 1 permit interfaces fa1 service telnet
  ! (Note: all other access implicitly denied)
switchxxxxxx# config
switchxxxxxx(config)# management access-list mgmtacl1
switchxxxxxx(config-macl)# no sequence 1

permit (Management)

To set the permit rules (ACEs) for the management ACL, use the permit Management Access-List Configuration mode command.

Syntax

[sequence sequence-number] permit interfaces interface-id service service

[sequence sequence-number] permit {ip ipv4-address/ipv4mask | ipv6 ipv6-address/ipv6-prefix-length} [interfaces interface-id] service service

Parameters

sequence sequence-number—(Optional) Specifies the sequence number for the ACL statement. The acceptable range is from 1 to 65535. If not specified, the switch provides a number starting from 1 in ascending order.

interfaces interface-id—(Optional) Specifies an interface ID or a list of interface IDs. The interface can be one of these types: Ethernet port or port channel.

service service—Specifies the type of service. Possible values are all, Telnet, SSH, HTTP, HTTPS, or SNMP.

ip ipv4-address/ipv4-mask—Specifies the source IPv4 address and mask address.

ipv6 ipv6-address/ipv6-prefix-length—Specifies the source IPv6 address and source IPv6 address prefix length. The prefix length must be preceded by a forward slash (/). The parameter is optional.

Default Configuration

No rules are configured.

Command Mode

Management Access-List Configuration mode

User Guidelines

The rules with Ethernet, VLAN, and port channel parameters are valid only if an IP address is defined on the appropriate interface.

Example

switchxxxxxx(config)# management access-list mlist
switchxxxxxx(config-macl)# permit ip 192.168.1.111/0.0.255.255 interfaces gi11 service http
switchxxxxxx(config-macl)# exit

show management access-class

To show information about the active management ACL, use the show management access-class Privileged EXEC mode command.

Syntax

show management access-class

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show management access-class
Management access-class is enabled, using access list mlist

show management access-list

To show information for all management ACLs or for a specific management ACL, use the show management access-list Privileged EXEC mode command.

Syntax

show management access-list [name]

Parameters

name—(Optional) The name of a management ACL to be displayed.

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays information for all management ACLs:

switchxxxxxx# show management access-list
2 management  access-lists are created
console-only
------------
  sequence 1 deny interfaces fa1-24,gi1-2,po1-8 service all
  ! (Note: all other access implicitly denied)
mlist
-----
  sequence 1 permit interfaces fa11 service all
  ! (Note: all other access implicitly denied)