Table Of Contents
Configuring the IP Permit List
Understanding How the IP Permit List Works
IP Permit List Default Configuration
Configuring the IP Permit List
Adding IP Addresses to the IP Permit List
Enabling the IP Permit List
Disabling the IP Permit List
Clearing an IP Permit List Entry
Configuring the IP Permit List
This chapter describes how to configure the IP permit list on the Catalyst enterprise LAN switches.
Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference—Catalyst 4000 Family, Catalyst 2948G, and Catalyst 2980G Switches.
This chapter consists of these major sections:
•Understanding How the IP Permit List Works
•IP Permit List Default Configuration
•Configuring the IP Permit List
Understanding How the IP Permit List Works
IP permit prevents inbound Telnet and SNMP access to the switch from unauthorized source IP addresses. All other TCP/IP services (such as IP traceroute and IP ping) continue to work normally when you enable the IP permit list. Outbound Telnet, Trivial File Transfer Protocol (TFTP), and other IP-based services are unaffected by the IP permit list.
Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from unauthorized IP addresses receive no response; the request times out. If you want to log unauthorized access attempts to the console or a syslog server, you must change the logging severity level for IP, as described in the "Enabling the IP Permit List" section. If you want to generate SNMP traps when unauthorized access attempts are made, you must enable IP permit list (ippermit) SNMP traps, as described in the "Enabling the IP Permit List" section. Multiple access attempts from the same unauthorized host only trigger notifications every ten minutes.
You can configure up to 100 entries in the permit list. Each entry consists of an IP address and subnet mask pair in dotted decimal format and information on whether the IP address is part of the SNMP permit list, Telnet permit list, or both lists. The bits set to one in the mask are checked for a match with the source IP address of incoming packets, while the bits set to zero are not checked. This process allows wildcard addresses to be specified.
If you do not specify the mask for an IP permit list entry, or if you enter a host name instead of an IP address, the mask has an implicit value of all bits set to one (255.255.255.255 or 0xffffffff), which matches only the IP address of that host.
If you do not specify SNMP or Telnet for the type of permit list for the IP address, the IP address is added to both the SNMP and Telnet permit lists.
You can specify the same IP address in more than one entry in the permit list if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect (but different addresses) are not stored. When you add such an address to the IP permit list, the system displays the address after the mask is applied.
IP Permit List Default Configuration
Table 18-1 shows the default IP permit list configuration.
Table 18-1 IP Permit List Default Configuration
Feature
|
Default Value
|
IP permit list enable state
|
Disabled
|
Permit list entries
|
None configured
|
IP syslog message severity level
|
2
|
SNMP IP permit trap (ippermit)
|
Disabled
|
Configuring the IP Permit List
These sections describe how to configure IP permit list:
•Adding IP Addresses to the IP Permit List
•Enabling the IP Permit List
•Disabling the IP Permit List
•Clearing an IP Permit List Entry
Adding IP Addresses to the IP Permit List
You can add an IP address to the SNMP permit list, the Telnet permit list, or both lists.
To add IP addresses to an IP permit list, perform this task in privileged mode:
|
Task
|
Command
|
Step 1
|
Specify the IP addresses to add to the IP permit list.
|
set ip permit ip_address [mask] [all | snmp | telnet | ssh]
|
Step 2
|
Verify the IP permit list configuration.
|
show ip permit
|
Note You can use the set security acl command to more efficiently set permit lists.
This example shows how to add IP addresses to IP permit list and verify the configuration:
Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet
172.16.0.0 with mask 255.255.0.0 added to Telnet permit list.
Console> (enable) set ip permit 172.20.52.32 255.255.0.0 snmp
172.20.52.32 with mask 255.255.0.0 added to Snmp permit list.
Console> (enable) set ip permit 172.20.52.3 all
172.20.52.3 added to IP permit list.
Console> (enable) set ip permit 172.20.52.31 255.255.255.224 ssh
172.20.52.31 with mask 255.255.255.224 added to Ssh permit list.
Console> (enable) show ip permit
Telnet permit list disabled.
Ssh permit list disabled.
Snmp permit list disabled.
Permit List Mask Access-Type
---------------- ---------------- -------------
172.16.0.0 255.255.0.0 telnet
172.20.0.0 255.255.0.0 snmp
172.20.52.0 255.255.255.224 ssh
172.20.52.3 telnet ssh snm
Denied IP Address Last Accessed Time Type Telnet Count SNMP Count
----------------- ------------------ ------ ------------ ----------
172.100.101.104 01/20/97,07:45:20 SNMP 14 1430
172.187.206.222 01/21/97,14:23:05 Telnet 7 236
Enabling the IP Permit List
You can enable either the SNMP permit list, the Telnet permit list, or both lists. If you do not specify a permit list, both the SNMP and Telnet permit lists are enabled.
Caution Before enabling the IP permit list, make sure that you add the IP address of your workstation or network management system to the permit list, especially when configuring through SNMP. Failure to do so could result in your connection being dropped by the switch you are configuring. We recommend that you disable IP permit list before clearing IP permit entries or host addresses.
To enable IP permit list on the switch, perform this task in privileged mode:
|
Task
|
Command
|
Step 1
|
Enable the IP permit list.
|
set ip permit enable [ssh | snmp | telnet]
|
Step 2
|
If desired, enable the IP permit trap to generate traps for unauthorized access attempts.
|
set snmp trap enable ippermit
|
Step 3
|
If desired, configure the logging level to see syslog messages for unauthorized access attempts.
|
set logging level ip 4 default
|
Step 4
|
Verify the IP permit list configuration.
|
show ip permit show snmp
|
This example shows how to enable the IP permit list and verify the configuration:
Console> (enable) set ip permit enable
Telnet, Snmp and Ssh permit list enabled
Console> (enable) set snmp trap enable ippermit
SNMP IP Permit traps enabled.
Console> (enable) set logging level ip 4 default
System logging facility <ip> set to severity 4(warnings)
Console> (enable) show ip permit
Telnet permit list enabled.
Snmp permit list enabled.
Permit List Mask Access-Type
---------------- ---------------- -------------
172.16.0.0 255.255.0.0 telnet
172.20.0.0 255.255.0.0 snmp
172.20.52.0 255.255.255.224 ssh
172.20.52.3 telnet ssh snmp
Denied IP Address Last Accessed Time Type
----------------- ------------------ ------
Denied IP Address Last Accessed Time Type Telnet Count SNMP Count
----------------- ------------------ ------ ------------ ----------
172.100.101.104 01/20/97,07:45:20 SNMP 14 1430
172.187.206.222 01/21/97,14:23:05 Telnet 7 236
Console> (enable) show snmp
Extended RMON Netflow: Disabled
Community-Access Community-String
---------------- --------------------
Trap-Rec-Address Trap-Rec-Community
---------------------------------------- --------------------
Disabling the IP Permit List
To disable the IP permit list on the switch, perform this task in privileged mode:
|
Task
|
Command
|
Step 1
|
Disable the IP permit list on the switch.
|
set ip permit disable [ssh | snmp | telnet]
|
Step 2
|
Verify the IP permit list configuration.
|
show ip permit
|
This example shows how to disable the IP permit list:
Console> (enable) set ip permit disable
Clearing an IP Permit List Entry
You can clear an IP address from the SNMP permit list, SSH permit list, the Telnet permit list, or all lists. If you do not specify which permit list to clear the IP address from, the IP address is deleted from both permit lists.
Caution Disable the IP permit list before clearing IP permit entries or host addresses. This action prevents your connection from being dropped by the switch you are configuring in case you clear your current IP address.
To clear an IP permit list entry, perform this task in privileged mode:
|
Task
|
Command
|
Step 1
|
Disable the IP permit list.
|
set ip permit disable [ssh | snmp | telnet]
|
Step 2
|
Specify the IP address to remove from the IP permit list.
|
clear ip permit {ip_address [mask] | all} [ssh | snmp | telnet]
|
Step 3
|
Verify the IP permit list configuration.
|
show ip permit
|
This example shows how to clear an IP permit list entry:
Console> (enable) set ip permit disable
Console> (enable) clear ip permit 172.100.101.102
172.100.101.102 cleared from IP permit list.
Console> (enable) clear ip permit 172.160.161.0 255.255.192.0 snmp
172.160.128.0 with mask 255.255.192.0 cleared from snmp permit list.
Console> (enable) clear ip permit 172.100.101.102 telnet
172.100.101.102 cleared from telnet permit list.
Console> (enable) clear ip permit all