Your SlideShare is downloading. ×
At8000 s gerenciamento de seguranca
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

At8000 s gerenciamento de seguranca

270
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
270
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Management Security and Access Control AT - 8000S
  • 2. Management Access Control • For security reasons, it is required to allow only a selected and predefined group of users to be allowed to perform system management. • Rules act as filters for determining device management access based on: – Type of management application – Interface type and selection – Source IP address and network mask • Users can be denied or permitted management access. • This way network managers can control who is allowed to manage the networking devices
  • 3. Management Security EWS Telnet “Secure management port” “Secure management VLAN” “Secure management IP address”
  • 4. Management Access Control System Spec AT - 8000S
  • 5. Management Access Control List (MACL). • Management Access Control Lists (MACL) contain rules which determine device access via: – ( ASCII terminal ) – Telnet (CLI over Telnet) – SSH (CLI over Secure Shell) – EWS (http or https using SSL). – SNMP • MACL can limit access to users identified by: – Ingress interface (Ethernet, port channel or VLAN) – Source IP address – Source IP subent (using a mask)
  • 6. MACL – User Control • The management access can be set separately to each type of management (set of allowed users for telnet may be different than those of EWS etc) • The max number of MACL rules is 256 (all criteria) • A specific management access method may be completely disabled by denying all user access to that Management type • By default all management access to the system is Enabled over all interfaces . • A specific command exists to enable only Console management • Management access via the system serial console is always enabled
  • 7. MACL CLI Configuration AT - 8000S
  • 8. CLI - Management Access Control List (MACL) • Use the following Global Configuration Mode command to defines an access-list for a management access control list (MACL), and enters the access-list context for configuration. Use the “no” form of command to remove an MACL: management access-list name no management access-list name
  • 9. CLI – MACL rules (permit) • Use the following MACL Configuration mode command(s) to define an MACL rule – permitting a management service: permit [ethernet interface-number | vlan vlan-id | port-channel number] [service service] permit ip-source ip-address [mask mask | prefix-length] [ethernet interface- number | vlan vlan-id | port-channel number] [service service]
  • 10. CLI – MACL rules (permit) Notes: 1) If no service is defined in the rule – it applies to all services 2) If no interface is defined – rule applies to all interfaces 3) Use “permit” without any parameters to permit all access 4) Default rule (if no match is found) – is to deny access
  • 11. CLI – MACL rules (deny) • Use the following MACL Configuration mode command(s) to define an MACL rule – denying a management service: deny [ethernet interface-number | vlan vlan-id | port-channel number] [service service] deny ip-source ip-address [mask mask | prefix-length] [ethernet interface-number | vlan vlan-id | port-channel number] [service service]
  • 12. CLI – Management Access Class • Use the following Global Configuration Mode command to define which access-list is used as the activate management connections . Use the “no” form of the command to disable the MACL: management access-class {console-only | name} no management access-class Note: Only 1 Access-class can be defined on a device. Definition of an additional class will cancel the first.
  • 13. CLI Example – MACL • Defining and applying an MACL(Secure): – Denying telnet access from port 1/e10 – Denying http from vlan 2 and ip-source 10.1.1.1/32 – Permitting all other accesses – Applying the MACL to the device console(config)# management access-list Secure console(config-macl)# deny ethernet 1/e10 service telnet console(config-macl)# deny ip-source 10.1.1.1 mask /32 vlan 2 service http console(config-macl)# permit console(config-macl)# exit console(config)# management access-class Secure
  • 14. CLI - Show Management Access • Use the following EXEC mode command to display Management access lists: show management access-list [name] • Use the following EXEC Mode command to display information about the active management access-class: show management access-class
  • 15. CLI Example - Show MACL console # show management access-class Management access-class is enabled, using access-list Secure console # show management access-list Secure ----------- deny ethernet 1/e10 service telnet deny ip-source 10.1.1.1 vlan 2 service http permit ! (Note: all other access implicitly denied) console-only ------------ deny ! (Note: all other access implicitly denied)
  • 16. Thank You!!!

×