Overview

Overview

The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means:

  • Telnet and other terminal emulation applications

  • The WebAgent

  • SSH

  • SNMP versions 1, 2 and 3 (with a correct community name)

  • TFTP

When configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch Authorized IP Managers configuration.

Use Authorized IP Managers along with other access security features to provide a more comprehensive security fabric than if you use only one or two security options.


[NOTE: ]

NOTE: When no Authorized IP Manager rules are configured, the access method feature is disabled and access is not denied.


For each authorized manager address, you can configure either of these access levels:

  • Manager

    Enables full access to all screens for viewing, configuration, and all other operations available.

  • Operator

    Allows read-only access. (This is the same access that is allowed by the switch operator-level password feature.)

Configure up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations


[CAUTION: ]

CAUTION: Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station "spoofs" an authorized IP address, it can gain management access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network's security by keeping physical access to the switch restricted to authorized personnel, using the user name/password and other security features available in the switch, and preventing unauthorized access to data on your management stations.


About using authorized IP Managers

The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means:

  • Telnet and other terminal emulation applications

  • The WebAgent –

  • SSH

  • SNMP versions 1, 2 and 3(with a correct community name)

  • TFTP

Also, when configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch’s Authorized IP Managers configuration.

You can use Authorized IP Managers along with other access security features to provide a more comprehensive security fabric than if you use only one or two security options.


[NOTE: ]

NOTE: When no Authorized IP manager rules are configured, the access method feature is disabled, that is, access is not denied.


Options

You can configure:

  • Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations

  • Manager or Operator access privileges


[CAUTION: ]

CAUTION: Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station “spoofs” an authorized IP address, it can gain management access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network’s security by keeping physical access to the switch restricted to authorized personnel, using the user name/password and other security features available in the switch, and preventing unauthorized access to data on your management stations.


Access Levels

For each authorized manager address, you can configure either of these access levels:

  • Manager: Enables full access to all screens for viewing, configuration, and all other operations available.

  • Operator: Allows read-only access. (This is the same access that is allowed by the switch’s operator-level password feature.)

Defining authorized management stations

  • Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature. For more on this topic, see Building IP Masks: Configuring one station per Authorized Manager IP entry.

  • Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch from a defined group of stations. This is useful if you want to easily authorize several stations to have access to the switch without having to type in an entry for every station. All stations in the group defined by the one Authorized Manager IP table entry and its associated IP mask will have the same access level—Manager or Operator. For more on this topic, see Building IP Masks: Configuring multiple stations per Authorized Manager IP entry.

To configure the switch for authorized manager access, enter the appropriate Authorized Manager IP value, specify an IP Mask, and select either Manager or Operator for the Access Level. The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a management station.


[NOTE: ]

NOTE: If the management VLAN is configured, access can only be on that VLAN.


Overview of IP mask operation

The default IP Mask is 255.255.255.255 and allows switch access only to a station having an IP address that is identical to the Authorized Manager IP parameter value. ("255" in an octet of the mask means that only the exact value in the corresponding octet of the Authorized Manager IP parameter is allowed in the IP address of an authorized management station.) However, you can alter the mask and the Authorized Manager IP parameter to specify ranges of authorized IP addresses. For example, a mask of 255.255.255.0 and any value for the Authorized Manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts). A mask of 255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under Building IP Masks: Configuring one station per Authorized Manager IP entry.


[NOTE: ]

NOTE: The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.


Operating notes

Network Security Precautions

Enhance your network's security by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.

Modem and Direct Console Access

Configuring authorized IP managers does not protect against access to the switch through a modem or direct Console (RS-232) port connection.

Duplicate IP Addresses

If the IP address configured in an authorized management station is also configured (or "spoofed") in another station, the other station can gain management access to the switch even though a duplicate IP address condition exists.

Web Proxy Servers

If you use the WebAgent to access the switch from an authorized IP manager station, it is recommended that you avoid the use of a web proxy server in the path between the station and the switch. This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server. The following two options outline how to eliminate a web proxy server from the path between a station and the switch:

  • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.

  • If you don’t need proxy server access at all on the authorized station, then just disable the proxy server feature in the station’s web browser interface.