Profile Rules

Access profiles can contain up to 255 rules to determine who is permitted to manage and access the device, and the access methods that may be used.

Each rule in an access profile contains an action and criteria (one or more parameters) to match. Each rule has a priority; rules with the lowest priority are checked first. If the incoming packet matches a rule, the action associated with the rule is performed. If no matching rule is found within the active access profile, the packet is dropped.

For example, you can limit access to the device from all IP addresses except IP addresses that are allocated to the IT management center. In this way, the device can still be managed and has gained another layer of security.

To add profile rules to an access profile, complete the following steps:

Procedure

Step 1

Click Security > Mgmt Access Method > Profile Rules.

Step 2

Select the Filter field, and an access profile. Click Go.

The selected access profile appears in the Profile Rule Table.

Step 3

Click Add to add a rule.

Step 4

Enter the parameters.

  • Access Profile Name—Select an access profile.

  • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-fit basis.

  • Management Method—Select the management method for which the rule is defined. The options are:

    • All—Assigns all management methods to the rule

    • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access.

    • Secure Telnet (SSH)—Users requesting access to the device that meets the Telnet access profile criteria, are permitted or denied access.

    • HTTP—Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied.

    • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

    • SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied.

  • Action—Select one of the following options.

    • Permit—Allow device access to users coming from the interface and IP source defined in this rule.

    • Deny—Deny device access to users coming from the interface and IP source defined in this rule.

  • Applies to Interface—Select the interface attached to the rule. The options are:

    • All—Applies to all ports, VLANs, and LAGs

    • User Defined—Applies only to the port, VLAN, or LAG selected.

  • Interface—Enter the interface number if the User Defined option is selected for the field above.

  • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values:

    • All—Applies to all types of IP addresses

    • User Defined—Applies to only those types of IP addresses defined in the fields.

  • IP Version—Select the supported IP version of the source address: IPv6 or IPv4.

  • IP Address—Enter the source IP address.

  • Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix.

Step 5

Click Apply, and the rule is added to the access profile.