contador Saltar al contenido

Restrict access to the Cisco switch based on the IP address

For added security, I wanted to limit access to my Cisco SG300-10 switch to a single IP address on my local subnet. After initially setting up my new switch a few weeks earlier, I was not happy to know that anyone connected to my LAN or WLAN could access the login page simply by knowing the IP address of the device.

In the end I sifted through the 500 page manual to understand how to block all IP addresses except the ones I wanted for management access. After a lot of tests and several posts on the Cisco forums, I understood it! In this article, I will outline the steps to configure access profiles and profile rules for the Cisco switch.

Note : the following method I am about to describe also allows you to limit access to any number of services enabled on your switch. For example, you can limit access to SSH, HTTP, HTTPS, Telnet or all of these services by IP address.

Create profile and rules for management access

To get started, go to the web interface for your switch and expand Safety, then expand Access method Mgmt . Go ahead and click Access profiles .

The first thing we need to do is create a new login profile. By default, you should only see the profile Console only . Also, you will notice at the top that Nobody selected next to Active login profile . Once we have created our profile and rules, we will have to select the profile name here to activate it.

Now click on the button add and this should bring up a dialog where you can name your new profile and also add the first rule for the new profile.

Above, give a new name to your new profile. All other fields refer to the first rule that will be added to the new profile. For Priority rule, you must choose a value between 1 and 65535. The way Cisco works that the lower priority rule is applied first. If it does not match, the next rule with lower priority is applied.

In my example, I chose a priority of 1 because I want this rule to be worked out first. This rule will be the one that allows the IP address I want to give access to the switch. In Management method, you can choose a specific service or choose everything, which will limit everything. In my case, I chose everything because I only enabled SSH and HTTPS and I manage both services from a computer.

Note that if you want to protect only SSH and HTTPS, you will need to create two separate rules. L' Action it can be Deny or permit . For my example, I chose permit since this will be for IP allowed. After that, you can apply the rule to a specific interface on the device or you can leave it on All in so that it applies to all ports.

Under Applies to Source IP Address, we must choose User Defined here and then choose the Version 4, unless you are working in an IPv6 environment, in which case you would choose Version 6. Now type the IP address to which you will be allowed access and type in a netmask that corresponds to all the relevant bits to be examined .

For example, since my IP address 192.168.1.233, the entire IP address has to be examined and therefore I need a netmask 255.255.255.255. If I wanted the rule to apply to everyone on the entire subnet, then I would use a mask of 255.255.255.0. It would mean anyone with a 192.168.1.x address would be allowed. This is not what I want to do, of course, but I hope this explains how to use the net mask. Note that the network mask is not the subnet mask for your network. The netmask simply indicates which bits Cisco should consider when applying the rule.

Click on apply and now you should have a new access profile and rule! Click on Profile rules in the left menu and you should see the new rule listed above.

Now we need to add our second rule. To do this, click on the button add shown under the rules table of the profile .

The second really simple rule. First, make sure the login profile name is the same as we just created. Now, let's just give the rule a priority of 2 and choose Deny for the action . Make sure everything else is set to All . This means that all IP addresses will be blocked. However, since our first rule will be processed first, the IP address will be allowed. Once a rule has been matched, the other rules are ignored. If an IP address does not match the first rule, it will arrive at this second rule, where it will match and will be blocked. Beautiful!

Finally, we need to activate the new access profile. To do this, go back to Access Profiles and select the new profile from the drop-down list at the top (next to Active login profile ). Make sure to click apply and you should be ready.

Remember that the configuration currently saved only in the running configuration. Make sure you go up AdministrationFile managementCopy / Save configuration to copy the running configuration to the boot configuration.

If you want to allow more than one IP address to access the switch, simply create another rule like the first one, but assign a higher priority. You will also need to make sure to change the priority of the rule Deny in so that it has a higher priority than all the rules permit . If you run into problems or can't get it to work, feel free to post in the comments and try to help. To enjoy!