Management ACL Commands 1413
68
Management ACL Commands
In order to ensure the security of the switch management features, the
administrator may elect to configure a management access control list. The
Management Access Control and Administration List (ACAL) component is
used to ensure that only known and trusted devices are allowed to remotely
manage the switch via TCP/IP. Management ACLs are only configurable on
IP (in-band) interfaces, not on the service port.
When a Management ACAL is e nabled, incoming TCP packet s initiating a
connection (TCP SYN) and all UDP packets will be filtered based on their
source IP address and destination port. Additionally, other attributes such as
incoming port (or port-channel) and VLAN ID can be used to determine if
the traffic should be allowed to the management interface. When the
component is disabled, incoming TCP/UDP packets are not filtered and are
processed normally.
There is also an option to restrict all the above packets from the network
interface. This is done by specifying “console only” in the MACAL
component. If this is enabled, the syste ms management interface is only
accessible via the serial port. All TCP SYN packets and UDP packets are
dropped except UDP packets sent to the DHCP Server or DHCP Client
ports.
Commands in this Chapter
This chapter explains the following commands:
deny (management) permit (management)
management access-class show management access-class
management access-list show management access-list
2CSPC4.XCT-SWUM2XX1.book Page 1413 Monday, October 3, 2011 11:05 AM