Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
11121314151617181920
15
OL-11615-01
IP Permit Lists
The IP permit list is an available feature in Catalyst OS and supported on Catalyst 6500 and 4500 Series
switches. An IP permit list is an access-list that prevents inbound Telnet, SNMP, and SSH access to the
switch from unauthorized source IP addresses. All other TCP/IP services (such as IP traceroute and IP
ping) continue to work normally when you enable the IP permit list. Outbound Telnet, Trivial File
Transfer Protocol (TFTP), and other IP-based services are unaffected by the IP permit list. IP permit lists
can be replaced with IOS ACLs or VACLs.
To configure IP permit lists, perform the following steps:
Step 1 Define IP permit list using the set ip permit command:
Console> (enable) # set ip permit
ip_address
[
mask
] [all | snmp | telnet | ssh]
Step 2 Activate the IP permit list using the set ip permit enable command:
Console> (enable) # set ip permit enable [telnet | snmp | ssh]
In this example SNMP access is granted to host 172.16.52.32, and SSH connections will be allowed only
from the172.16.52.0/24 network.
Console> (enable) set ip permit 172.16.52.32 255.255.255.255 snmp
172.16.52.32 with mask 255.255.255.255 added to Snmp permit list.
Console> (enable) set ip permit 172.16.52.0 255.255.255.0 ssh
172.16.52.0 with mask 255.255.255.0 added to Ssh permit list.
Console> (enable) set ip permit enable
IP permit list enabled.
For more information on how to configure IP permit lists on Catalyst 6500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/ip_perm.htm
For more information on how to configure IP permit lists on Catalyst 4500, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/configur/ip_perm.htm
Access-Class
Access-class is an available feature in Cisco IOS software that is supported on Catalyst 6500 and 4500
Series switches. Similar to IP permit lists, access-class prevents Telnet and SSH access to the switch
from unauthorized IP addresses. With this feature, a standard or extended IP ACL is configured with a
list of addresses to be permitted or blocked, then the access-class maps the ACL to one or more VTYs.
To configure an access-class, perform the following steps:
Step 1 Create the standard or extended IP ACL defining the IP addresses or subnets to be blocked or permitted
using the access-list command.
Step 2 Access the VTYs to which you want to control access. Using the access-class line command, associate
the previously configured IP ACL:
Switch(config)# line vty <0-15> [<0-15>]
Switch(config-line)# access-class
access-list-number
in