Advantages of the Restricted Management Access feature on Instant 4.0
--------------------------------------------------------------------------------------------------
- Ability to restrict management access (SSH, Telnet and Web UI ) from selected subnets or hosts.
- When configured, management access is only allowed from configured subnets/hosts and denied from all other subnets/hosts.
- When no subnet/host is configured, access is allowed from all IPs/subnets – same as existing behavior.
- Does not affect management access from directly connected clients (wired or wireless clients on master IAP).
How the feature works:-
-------------------------------
The feature works by blocking management access to all AP-owned IPs using the uplink ACL (ACL 106).
On master AP, port 22, 23 and 4343 are denied to the following IPs from all subnets except the ones explicitly allowed.
- Physical interface IP
- Virtual Controller IP
- Magic VLAN gateway IP
- L3/NAT mode gateway IP
- VPN Tunnel IP
On slave APs, port 22, 23 and 4343 is denied to the slave APs physical IP.
WEBUI configuration:-
CLI configuration:-
-----------------------
Configuration CLI --> restricted-mgmt-access
Show CLI > “show summary” includes information about configured restricted management subnets
6c:f3:7f:c3:67:4a (config) # restricted-mgmt-access 10.0.0.0 255.0.0.0
6c:f3:7f:c3:67:4a (config) # end
6c:f3:7f:c3:67:4a# commit apply
committing configuration...
configuration committed.
6c:f3:7f:c3:67:4a#
6c:f3:7f:c3:67:4a# show summary | begin "Restricted Management Access"
Restricted Management Access Subnets
------------------------------------
Subnet IP Address Subnet Mask
----------------- -----------
10.0.0.0 255.0.0.0
ACL hits for example
-----------------------------
Debug packet dump to troubleshoot
-------------------------------------------------
------------------------------