为了增加安全性,我想限制对我的Cisco SG300-10交换机的访问,仅限于我本地子网中的一个 IP 地址。在几周前最初配置我的新交换机后,我很不高兴知道任何连接到我的(initially configuring my new switch)LAN或WLAN的人都可以通过知道设备的 IP 地址进入登录页面。
我最终筛选了 500 页的手册,以找出如何阻止所有 IP 地址,但我想要用于管理访问的 IP 地址除外。经过大量测试并在Cisco论坛上发了几篇帖子后,我想通了!在本文中,我将引导您完成为您的Cisco交换机配置访问配置文件和配置文件规则的步骤。
注意:我将要描述的以下方法还允许您限制对交换机上启用的任意数量的服务的访问。例如,您可以通过 IP 地址限制对 SSH、HTTP、HTTPS、Telnet 或所有这些服务的访问。 (Note: The following method I am going to describe also allows you to restrict access to any number of enabled services on your switch. For example, you can restrict access to SSH, HTTP, HTTPS, Telnet, or all of these services by IP address. )
创建管理访问配置文件(Create Management Access Profile)和规则(Rules)
要开始,请登录您的交换机的 Web 界面并展开Security,然后展开Mgmt Access Method。继续并单击Access Profiles。
我们需要做的第一件事是创建一个新的访问配置文件。默认情况下,您应该只看到仅控制台(Console Only)配置文件。此外,您会在顶部注意到Active Access Profile旁边的None被选中。创建配置文件和规则后,我们必须在此处选择配置文件的名称才能激活它。
现在单击“添加(Add)”按钮,这应该会弹出一个对话框,您可以在其中命名新配置文件并为新配置文件添加第一条规则。
在顶部,为您的新个人资料命名。所有其他字段都与将添加到新配置文件的第一条规则相关。对于Rule Priority,您必须选择一个介于 1 和 65535 之间的值。Cisco的工作方式是首先应用具有最低优先级的规则。如果不匹配,则应用优先级最低的下一个规则。
在我的示例中,我选择了优先级1,因为我希望首先处理此规则。此规则将允许我要授予对交换机的访问权限的 IP 地址。在管理方法(Management Method)下,您可以选择特定服务或选择全部,这将限制所有内容。就我而言,我选择了全部,因为无论如何我只启用了SSH和HTTPS ,并且我从一台计算机管理这两项服务。(HTTPS)
请注意,如果您只想保护SSH和HTTPS,则需要创建两个单独的规则。Action只能是Deny或Permit。对于我的示例,我选择了Permit ,因为这将用于允许的 IP。接下来(Next),您可以将规则应用于设备上的特定接口,或者您可以将其保留在All以便它应用于所有端口。
在应用于源 IP 地址(Applies to Source IP Address)下,我们必须在此处选择用户定义( User Defined),然后选择版本 4(Version 4),除非您在IPv6环境中工作,在这种情况下您将选择版本 6(Version 6)。现在输入将被允许访问的 IP 地址并输入与要查看的所有相关位匹配的网络掩码。
例如,由于我的 IP 地址是 192.168.1.233,因此需要检查整个 IP 地址,因此我需要 255.255.255.255 的网络掩码。如果我希望该规则适用于整个子网中的每个人,那么我将使用掩码 255.255.255.0。这意味着任何拥有 192.168.1.x 地址的人都将被允许。显然,这不是我想要做的,但希望这能解释如何使用网络掩码。请注意,网络掩码不是您的网络的子网掩码。网络掩码只是说明Cisco在应用规则时应该查看哪些位。
单击应用(Apply),您现在应该有一个新的访问配置文件和规则!单击(Click)左侧菜单中的配置文件规则( Profile Rules),您应该会在顶部看到新规则。
现在我们需要添加第二条规则。为此,请单击配置文件规则表下显示的(Profile Rule Table)添加(Add)按钮。
第二条规则非常简单。首先,确保访问配置文件名称(Access Profile Name)与我们刚刚创建的相同。现在,我们只需将规则的优先级设为2并为Action选择Deny。确保其他所有内容都设置为All。这意味着所有 IP 地址都将被阻止。但是,由于我们的第一条规则将首先被处理,因此该 IP 地址将被允许。一旦匹配了一条规则,其他规则将被忽略。如果 IP 地址与第一条规则不匹配,它将进入第二条规则,在那里它将匹配并被阻止。好的!
最后,我们必须激活新的访问配置文件。为此,请返回Access Profiles并从顶部的下拉列表中选择新的配置文件(在Active Access Profile旁边)。确保单击“应用(Apply)” ,您应该一切顺利。
请记住(Remember),配置当前仅保存在运行配置中。确保您转到管理(Administration)-文件管理( File Management)-Copy/Save Configuration以将运行配置复制到启动配置。
如果您想允许多个 IP 地址访问交换机,只需创建另一个与第一个相同的规则,但赋予它更高的优先级。您还必须确保更改Deny规则的优先级,使其具有比所有Permit规则更高的优先级。如果您遇到任何问题或无法使其正常工作,请随时在评论中发布,我会尽力提供帮助。享受!
Restrict Access to Cisco Switch Based on IP Address
For added seсurity, I wanted to rеstrict access to my Cisсo SG300-10 switch to only one IP address in my local subnet. After initially configuring my new switch a few weeks backs, I wasn’t happy knowing that anyone connected to my LAN or WLAN could get to the login page by just knowing the IP address for the device.
I ended up sifting through the 500-page manual to figure out how to go about blocking all IP addresses except the ones that I wanted for management access. After a lot of testing and several posts to the Cisco forums, I figured it out! In this article, I’ll walk you through the steps to configure access profiles and profiles rules for your Cisco switch.
Note: The following method I am going to describe also allows you to restrict access to any number of enabled services on your switch. For example, you can restrict access to SSH, HTTP, HTTPS, Telnet, or all of these services by IP address.
Create Management Access Profile & Rules
To get started, log into the web interface for your switch and expand Security and then expand Mgmt Access Method. Go ahead and click on Access Profiles.
The first thing we need to do is create a new access profile. By default, you should only see the Console Only profile. Also, you’ll notice at the top that None is selected next to Active Access Profile. Once we have created our profile and rules, we’ll have to select the name of the profile here in order to activate it.
Now click on the Add button and this should bring up a dialog box where you’ll be able to name your new profile and also add the first rule for the new profile.
At the top, give your new profile a name. All the other fields relate to the first rule that will be added to the new profile. For Rule Priority, you have to choose a value between 1 and 65535. The way Cisco works is that the rule with the lowest priority is applied first. If it doesn’t match, then the next rule with the lowest priority is applied.
In my example, I chose a priority of 1 because I want this rule to be processed first. This rule will be the one that allows the IP address that I want to give access to the switch. Under Management Method, you can either choose a specific service or choose all, which will restrict everything. In my case, I chose all because I only have SSH and HTTPS enabled anyway and I manage both services from one computer.
Note that if you want to secure only SSH and HTTPS, then you’ll need to create two separate rules. The Action can only be Deny or Permit. For my example, I chose Permit since this will be for the allowed IP. Next, you can apply the rule to a specific interface on the device or you can just leave it at All so that it applies to all ports.
Under Applies to Source IP Address, we have to choose User Defined here and then choose Version 4, unless you are working in an IPv6 environment in which case you would choose Version 6. Now type in the IP address that will be allowed access and type in a network mask that matches all the relevant bits to be looked at.
For example, since my IP address is 192.168.1.233, the whole IP address needs to be examined and hence I need a network mask of 255.255.255.255. If I wanted the rule to apply to everyone on the entire subnet, then I would use a mask of 255.255.255.0. That would mean anyone with a 192.168.1.x address would be permitted. That’s not what I want to do, obviously, but hopefully that explains how to use the network mask. Note that the network mask is not the subnet mask for your network. The network mask simply says which bits Cisco should look at when applying the rule.
Click Apply and you should now have a new access profile and rule! Click on Profile Rules in the left-hand menu and you should see the new rule listed at the top.
Now we need to add our second rule. To do this, click on the Add button shown under the Profile Rule Table.
The second rule is really simple. Firstly, make sure that the Access Profile Name is the same one we just created. Now, we just give the rule a priority of 2 and choose Deny for the Action. Make sure everything else is set to All. This means that all IP addresses will be blocked. However, since our first rule will be processed first, that IP address will be permitted. Once a rule is matched, the other rules are ignored. If an IP address doesn’t match the first rule, it’ll come to this second rule, where it will match and be blocked. Nice!
Finally, we have to activate the new access profile. To do that, go back to Access Profiles and select the new profile from the drop down list at the top (next to Active Access Profile). Make sure to click Apply and you should be good to go.
Remember that the configuration is currently only saved in the running config. Make sure you go to Administration – File Management – Copy/Save Configuration to copy the running config to the startup config.
If you want to allow more than one IP address access to the switch, just create another rule like the first one, but give it a higher priority. You’ll also have to make sure that you change the priority for the Deny rule so that it has a higher priority than all of the Permit rules. If you run into any problems or can’t get this to work, feel free to post in the comments and I’ll try to help. Enjoy!