Features of authorized IP managers
As with the configuration of IPv4 management stations, the authorized IP managers for IPv6 feature allow you to specify the IPv6-based stations that can access the switch.
- You can configure up to 100 authorized IPv4 and IPv6 manager entries on a switch, where each entry applies to either a single management station or a group of stations. Each authorized manager entry consists of an IPv4 or IPv6 address and a mask that determines the individual management stations that are allowed access.
Using the
ip authorized-managers
, you can configure authorized IPv4 manager addresses command. For more information, see "Using Authorized IP Managers" in the Access Security Guide.Using the
ipv6 authorized-managers
, you can configure authorized IPv6 manager addresses command.
- You can block all IPv4-based or all IPv6-based management stations from accessing the switch by entering the following commands:
To block access to all IPv4 manager addresses while allowing access to IPv6 manager addresses, enter the
ip authorized-managers 0.0.0.0
command.To block access to all IPv6 manager addresses while allowing access to IPv4 manager addresses, enter the
ipv6 authorized-managers ::
command. (The double colon represents an IPv6 address that consists of all zeros: 0:0:0:0:0:0:0:0.)
- You configure each authorized manager address with manager- or operator-level privilege to access the switch.
Manager privilege allows full access to all console interface screens for viewing, configuring, and all other operations available in these interfaces.
Operator privilege allows read-only access from the console interfaces.
When you configure station access to the switch using the authorized IP managers feature, the settings take precedence over the access configured with local passwords, TACACS+ servers, RADIUS-assigned settings, port-based (802.1X) authentication, and port security settings.
As a result, the IPv6 address of a networked management device must be configured with the authorized IP managers feature before the switch can authenticate the device using the configured settings from other access security features. If the authorized IP managers feature disallows access to the device, access is denied. Therefore, with authorized IP managers configured, logging in with the correct passwords is not sufficient to access a switch through the network unless the station requesting access is also authorized in the switch's authorized IP managers configuration.