Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

Protecting MGMT access using "ip authorized-managers"

I have 2930M switch running WC.16.05.0004 code and I want to limit HTTPS and SNMP access to certain subnet (172.20.18.0/24) while allowing SSH access from all subnets. Is this the correct way of doing it?

 

ip authorized-managers 172.20.18.0 255.255.255.0 access manager
ip authorized-managers 0.0.0.0 0.0.0.0 access manager access-method ssh

 

any idea how the lines of "ip authorized-managers" are processed? Is it in sequence and once the user hits one line, the other lines are not processed?

 

or the whole list is processed and user gets the highest (or lowest) privilige for his IP address?

 

 


Accepted Solutions
Highlighted
MVP Expert

Re: Protecting MGMT access using "ip authorized-managers"

Greetings!

 

Unlike an ACL, the 'ip authorized-managers' command applies the highest level of access allowed for the management station IP address you're connecting from (as you described in your second example). 

 

So, for the two commands you listed, any management station can access the switch via SSH and be granted up to Manager-level access (depending on the account used for authentication), while a management station on the 172.18.20.0/24 subnet would be able to access all authentication methods with up to Manager-level permissions.



Matt Fern
Senior Technical Marketing Engineer, Aruba Switching

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter

View solution in original post


All Replies
Highlighted
MVP Expert

Re: Protecting MGMT access using "ip authorized-managers"

Greetings!

 

Unlike an ACL, the 'ip authorized-managers' command applies the highest level of access allowed for the management station IP address you're connecting from (as you described in your second example). 

 

So, for the two commands you listed, any management station can access the switch via SSH and be granted up to Manager-level access (depending on the account used for authentication), while a management station on the 172.18.20.0/24 subnet would be able to access all authentication methods with up to Manager-level permissions.



Matt Fern
Senior Technical Marketing Engineer, Aruba Switching

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: