Overview
Overview
The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means:
Telnet and other terminal emulation applications
The WebAgent
SSH
SNMP versions 1, 2 and 3 (with a correct community name)
TFTP
When configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch Authorized IP Managers configuration.
Use Authorized IP Managers along with other access security features to provide a more comprehensive security fabric than if you use only one or two security options.
NOTE: When no Authorized IP Manager rules are configured, the access method feature is disabled and access is not denied. | |
For each authorized manager address, you can configure either of these access levels:
Manager
Enables full access to all screens for viewing, configuration, and all other operations available.
Operator
Allows read-only access. (This is the same access that is allowed by the switch operator-level password feature.)
Configure up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations
CAUTION: Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station "spoofs" an authorized IP address, it can gain management access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network's security by keeping physical access to the switch restricted to authorized personnel, using the user name/password and other security features available in the switch, and preventing unauthorized access to data on your management stations. | |
About using authorized IP Managers
The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means:
Telnet and other terminal emulation applications
The WebAgent –
SSH
SNMP versions 1, 2 and 3(with a correct community name)
TFTP
Also, when configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch’s Authorized IP Managers configuration.
You can use Authorized IP Managers along with other access security features to provide a more comprehensive security fabric than if you use only one or two security options.
NOTE: When no Authorized IP manager rules are configured, the access method feature is disabled, that is, access is not denied. | |
Options
You can configure:
Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations
Manager or Operator access privileges
CAUTION: Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station “spoofs” an authorized IP address, it can gain management access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network’s security by keeping physical access to the switch restricted to authorized personnel, using the user name/password and other security features available in the switch, and preventing unauthorized access to data on your management stations. | |
Access Levels
For each authorized manager address, you can configure either of these access levels:
Manager: Enables full access to all screens for viewing, configuration, and all other operations available.
Operator: Allows read-only access. (This is the same access that is allowed by the switch’s operator-level password feature.)
Defining authorized management stations
Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to
255.255.255.255
. This is the easiest way to use the Authorized Managers feature. For more on this topic, see Building IP Masks: Configuring one station per Authorized Manager IP entry.Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch from a defined group of stations. This is useful if you want to easily authorize several stations to have access to the switch without having to type in an entry for every station. All stations in the group defined by the one Authorized Manager IP table entry and its associated IP mask will have the same access level—Manager or Operator. For more on this topic, see Building IP Masks: Configuring multiple stations per Authorized Manager IP entry.
To configure the switch for authorized manager
access, enter the appropriate Authorized Manager IP value,
specify an IP Mask, and select either Manager
or Operator
for
the Access Level. The IP Mask determines how
the Authorized Manager IP value is used to allow or deny access to
the switch by a management station.
NOTE: If the management VLAN is configured, access can only be on that VLAN. | |
Overview of IP mask operation
The default IP Mask is 255.255.255.255 and allows
switch access only to a station having an IP address that is identical
to the Authorized Manager IP parameter value. ("255" in
an octet of the mask means that only the exact value in the corresponding
octet of the Authorized Manager IP parameter is allowed in the IP
address of an authorized management station.) However, you can alter
the mask and the Authorized Manager IP parameter to specify ranges
of authorized IP addresses. For example, a mask of 255.255.255.0
and
any value for the Authorized Manager IP parameter allows a range of
0 through 255 in the 4th octet of the authorized IP address, which
enables a block of up to 254 IP addresses for IP management access
(excluding 0 for the network and 255 for broadcasts). A mask of 255.255.255.252
uses
the 4th octet of a given Authorized Manager IP address to authorize
four IP addresses for management station access. The details on how
to use IP masks are provided under Building IP Masks: Configuring one station per Authorized Manager
IP entry.
NOTE: The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner. | |
Operating notes
Network Security Precautions | Enhance your network's security by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations. |
Modem and Direct Console Access | Configuring authorized IP managers does not protect against access to the switch through a modem or direct Console (RS-232) port connection. |
Duplicate IP Addresses | If the IP address configured in an authorized management station is also configured (or "spoofed") in another station, the other station can gain management access to the switch even though a duplicate IP address condition exists. |
Web Proxy Servers | If you use the WebAgent to access the switch from an authorized IP manager station, it is recommended that you avoid the use of a web proxy server in the path between the station and the switch. This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server. The following two options outline how to eliminate a web proxy server from the path between a station and the switch:
|