deny (Management)
To set permit rules (ACEs) for the management access list (ACL), use the deny Management Access-list Configuration mode command.
Syntax
deny [interface-id] [service service]
deny ip-source {ipv4-address | ipv6-address/ipv6-prefix-length} [mask {mask |
prefix-length}] [interface-id] [service service]
Parameters
- interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, Port-channel or VLAN
- service service—(Optional) Specifies the service type. Possible values are: Telnet, SSH, HTTP, HTTPS and SNMP.
- ipv4-address—Specifies the source IPv4 address.
- ipv6-address/ipv6-prefix-length—Specifies the source IPv6 address and source IPv6 address prefix length. The prefix length must be preceded by a forward slash (/). The parameter is optional.
- mask mask—Specifies the source IPv4 address network mask. The parameter is relevant only to IPv4 addresses.
- mask prefix-length—Specifies the number of bits that comprise the source IPv4 address prefix. The prefix length must be preceded by a forward slash
(/). The parameter is relevant only to IPv4 addresses. (Range: 0–32)
Default Configuration
No rules are configured.
Command Mode
Management Access-list Configuration mode
User Guidelines
Rules with ethernet, VLAN, and port-channel parameters are valid only if an IP address is defined on the appropriate interface.
Example
The following example denies all ports in the ACL called mlist.
switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)# deny |
permit (Management)
To set permit rules (ACEs) for the management access list (ACL), use the permit Management Access-list Configuration mode command.
Syntax
permit [interface-id] [service service]
permit ip-source {ipv4-address | ipv6-address/ipv6-prefix-length} [mask {mask |
prefix-length}] [interface-id] [service service]
Parameters
- interface-id —(Optional) Specify an interface ID. The interface ID can be one of the following types: Ethernet port, Port-channel or VLAN
- service service — (Optional) Specifies the service type. Possible values are: Telnet, SSH, HTTP, HTTPS and SNMP.
- ipv4-address — Specifies the source IPv4 address.
- ipv6-address/ipv6-prefix-length — Specifies the source IPv6 address and source IPv6 address prefix length. The prefix length must be preceded by a forward slash (/). The parameter is optional.
- mask mask — Specifies the source IPv4 address network mask. This parameter is relevant only to IPv4 addresses.
- mask prefix-length — Specifies the number of bits that comprise the source IPv4 address prefix. The prefix length must be preceded by a forward slash
(/). This parameter is relevant only to IPv4 addresses. (Range: 0–32)
Default Configuration
No rules are configured.
Command Mode
Management Access-list Configuration mode
User Guidelines
Rules with Ethernet, VLAN, and port-channel parameters are valid only if an IP address is defined on the appropriate interface.
Example
The following example permits all ports in the ACL called mlist
switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)# permit |
management access-list
To configure a management access list (ACL) and enter the Management
Access-list Configuration mode, use the management access-list Global Configuration mode command. To delete an ACL, use the no form of this command.
Syntax management access-list name no management access-list name
Parameters
name—Specifies the ACL name. (Length: 1–32 characters)
Default Configuration
N/A
Command Mode
Global Configuration mode
User Guidelines
Use this command to configure a management access list. This command enters the Management Access-list Configuration mode, where the denied or permitted access conditions are defined with the deny and permit commands.
If no match criteria are defined, the default value is deny.
When re-entering the access-list context, the new rules are entered at the end of the access list.
Use the management access-class command to select the active access list.
The active management list cannot be updated or removed.
For IPv6 management traffic that is tunneled in IPv4 packets, the management ACL is applied first on the external IPv4 header (rules with the service field are ignored), and then again on the inner IPv6 header.
Examples
Example 1 – The following example creates a management access list called mlist, configures management te1/0/1 and te1/0/9, and makes the new access list the active list.
switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)# permit te1/0/1 switchxxxxxx(config-macl)# permit te1/0/9 switchxxxxxx(config-macl)# exit switchxxxxxx(config)# |
Example 2 – The following example creates a management access list called ‘mlist’, configures all interfaces to be management interfaces except te1/0/1 and te1/0/9, and makes the new access list the active list.
switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)# deny te1/0/1 switchxxxxxx(config-macl)# deny te1/0/9 switchxxxxxx(config-macl)# permit switchxxxxxx(config-macl)# exit switchxxxxxx(config)# |
management access-class
To restrict management connections by defining the active management access list (ACL), use the management access-class Global Configuration mode command. To disable management connection restrictions, use the no form of this command.
Syntax
management access-class {console-only | name} no management access-class
Parameters
- console-only—Specifies that the device can be managed only from the console.
- name—Specifies the ACL name to be used. (Length: 1–32 characters)
Default Configuration
The default configuration is no management connection restrictions.
Command Mode
Global Configuration mode
Example
The following example defines an access list called mlist as the active management access list.
switchxxxxxx(config)# management access- class mlist |
show management access-list
To display management access lists (ACLs), use the show management access-list Privileged EXEC mode command.
Syntax show management access-list [name]
Parameters
name—(Optional) Specifies the name of a management access list to be displayed. (Length: 1–32 characters)
Default Configuration
All management ACLs are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the mlist management ACL.
switchxxxxxx# show management access-list mlist m1 -deny service telnet permit te1/0/1 service telnet ! (Note: all other access implicitly denied) console(config-macl)# |
show management access-class
To display information about the active management access list (ACLs), use the show management access-class Privileged EXEC mode command.
Syntax show management access-class
Parameters
This command has no arguments or keywords.
Command Mode
Privileged EXEC mode
Example
The following example displays the active management ACL information.
switchxxxxxx# show management access-class Management access-class is enabled, using access list mlist |
Leave A Comment?