Access Security Guide K/KA/KB.15.15
NOTE: When no Authorized IP manager rules are configured, the access method feature is
disabled, that is, access is not denied.
Options
You can configure:
• Up to 100 authorized manager addresses, where each address applies to either a single
management station or a group of stations
• Manager or Operator access privileges
CAUTION: Configuring Authorized IP Managers does not protect access to the switch through
a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station “spoofs”
an authorized IP address, it can gain management access to the switch even though a duplicate
IP address condition exists. For these reasons, you should enhance your network’s security by
keeping physical access to the switch restricted to authorized personnel, using the
username/password and other security features available in the switch, and preventing unauthorized
access to data on your management stations.
Access Levels
For each authorized manager address, you can configure either of these access levels:
• Manager: Enables full access to all screens for viewing, configuration, and all other operations
available.
• Operator: Allows read-only access. (This is the same access that is allowed by the switch’s
operator-level password feature.)
Defining authorized management stations
• Authorizing Single Stations: The table entry authorizes a single management station to have
IP access to the switch. To use this method, just enter the IP address of an authorized
management station in the Authorized Manager IP column, and leave the IP Mask set to
255.255.255.255. This is the easiest way to use the Authorized Managers feature. For
more on this topic, see “Building IP Masks: Configuring one station per Authorized Manager
IP entry” (page 417).
• Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch
from a defined group of stations. This is useful if you want to easily authorize several stations
to have access to the switch without having to type in an entry for every station. All stations
in the group defined by the one Authorized Manager IP table entry and its associated IP mask
will have the same access level—Manager or Operator. For more on this topic, see “Building
IP Masks: Configuring multiple stations per Authorized Manager IP entry” (page 417).
To configure the switch for authorized manager access, enter the appropriate Authorized Manager
IP value, specify an IP Mask, and select either Manager or Operator for the Access Level. The
IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the
switch by a management station.
NOTE: If the management VLAN is configured, access can only be on that VLAN.
Overview of IP mask operation
The default IP Mask is 255.255.255.255 and allows switch access only to a station having an IP
address that is identical to the Authorized Manager IP parameter value. ("255" in an octet of the
mask means that only the exact value in the corresponding octet of the Authorized Manager IP
parameter is allowed in the IP address of an authorized management station.) However, you can
alter the mask and the Authorized Manager IP parameter to specify ranges of authorized IP
420 Authorized IP Managers