Management ACLs filter packet use to manage the switch.
First we do create a specific access-list with the keyword management
console(config)# management access-list AdminList
You can restrict by source vlan, Ips, subnet for a specific services
The list of service is restricted to:
– Telnet
– SSH
– Http(s)
– TFTP
– snmp
– sntp
– any (the word ” any” include all of them.)
You can also, specify a priority to order access
For exemple you can do this:
console(config-macl)#permit ip-source 192.168.99.1 service snmp console(config-macl)#permit ip-source 192.168.100.10 service snmp console(config-macl)#permit ip-source 192.168.99.1 service ssh console(config-macl)#permit ip-source 192.168.100.10 service ssh console(config-macl)# deny vlan 666 service any console(config-macl)# deny ip-source 192.168.10.0 mask /24 service ssh console(config-macl)# deny ip-source 192.168.200.0 mask /24 vlan 200 service snmp
After we do associate to the management access-class
console(config)#management access-class AdminList
Keep in minds:
If one of this service is not start, it’s not necessary to add in the management access-list