Nabadgelyada dheeraadka ah, waxaan rabay in aan xaddido gelitaanka Cisco SG300-10 ee u beddelashada hal ciwaanka IP-ga oo keliya ee ku jira shabakad-hoosaadka maxalliga ah. Ka dib markii aan markii hore habeeyey beddelkayga cusub^{(initially configuring my new switch)} dhawr toddobaad oo soo laabtay, kuma faraxsanayn in aan ogaado in qof kasta oo ku xidhan LAN ama WLAN uu heli karo bogga gelitaanka isagoo kaliya ogaanaya ciwaanka IP-ga ee qalabka.

Waxaan ku dhammeeyey shaandheynta buug-gacmeedka 500-bog ah si aan u ogaado sida loo maro xannibaadda dhammaan ciwaannada IP-ga marka laga reebo kuwa aan rabo gelitaanka maamulka. Imtixaan badan ka dib iyo dhowr qoraal oo ku saabsan forumyada Sisiko^(Cisco) , waxaan ogaaday! Maqaalkan, waxaan kugu dhex mari doonaa tillaabooyinka lagu habeeyo gelitaanka profiles iyo xeerarka profiles ee beddelkaaga Cisco .

Fiiro gaar ah: Habkan soo socda ee aan ku tilmaami doono wuxuu kaloo kuu ogolaanayaa inaad xaddiddo gelitaanka tiro kasta oo adeegyo karti leh oo ku socda beddelkaaga. Tusaale ahaan, waxaad xaddidi kartaa gelitaanka SSH, HTTP, HTTPS, Telnet, ama dhammaan adeegyadan adigoo isticmaalaya cinwaanka IP-ga. ^{(Note: The following method I am going to describe also allows you to restrict access to any number of enabled services on your switch. For example, you can restrict access to SSH, HTTP, HTTPS, Telnet, or all of these services by IP address. )}

Abuur Macluumaadka Helitaanka Maamulka^{(Create Management Access Profile)} & Xeerarka^(Rules)

Si aad u bilawdo, gal interneedka shabakada beddelkaaga oo balaadhi Amniga^(Security) oo balaadhi Habka Helitaanka Mgmt^{(Mgmt Access Method)} . Horey u soco oo guji Helitaanka Profiles^{(Access Profiles)} .

Waxa ugu horreeya ee aan u baahanahay inaan sameyno waa abuurista profile gelitaanka cusub. Sida caadiga ah, waa inaad kaliya aragtaa astaanta Console Keliya . ^{(Console Only)}Sidoo kale, waxaad ogaan doontaa xagga sare in midna^(None) aan la dooranin ee ku xiga Profile Helitaanka Firfircoon^{( Active Access Profile)} . Marka aan samayno profile-kayaga iyo xeerarkeena, waa in aan dooranaa magaca profile-ka halkan si aan u dhaqaajino.

Hadda dhagsii badhanka ku dar^(Add) oo kani waa inuu keenaa sanduuqa wada-hadalka halkaas oo aad awood u yeelan doonto inaad magacowdo profile-kaaga cusub oo aad sidoo kale ku dartid xeerka ugu horreeya profile cusub.

Xagga sare, waxaad siisaa profile-kaaga cusub magac. Dhammaan qaybaha kale waxay la xiriiraan qaanuunka ugu horreeya ee lagu dari doono astaanta cusub. Mudnaanta Sharciga^{( Rule Priority)} , waa inaad doorataa qiimaha u dhexeeya 1 iyo 65535. Habka Cisco u shaqeeyo waa in marka hore la dabaqo qaanuunka leh mudnaanta ugu yar. Haddii aysan ku habboonayn, markaa sharciga xiga ee leh mudnaanta ugu hooseeya ayaa la dabaqayaa.

Tusaalahayga, waxaan doortay mudnaanta 1 sababtoo ah waxaan rabaa in xeerkan marka hore laga shaqeeyo. Xeerkani wuxuu noqon doonaa kan u oggolaanaya ciwaanka IP-ga ee aan rabo in aan siiyo furaha furaha. Sida hoos timaada Habka Maareynta^{(Management Method)} , waxaad dooran kartaa adeeg gaar ah ama waxaad dooran kartaa dhammaan, taas oo xaddidi doonta wax walba. Xaaladeyda, waxaan doortay dhammaan sababtoo ah waxaan haystaa kaliya SSH iyo HTTPS si kastaba ha ahaatee waxaan ka maamulaa labada adeegba hal kombuyuutar.

Ogsoonow in haddii aad rabto inaad sugto kaliya SSH iyo HTTPS , markaa waxaad u baahan doontaa inaad abuurto laba xeer oo kala duwan. Ficilku wuxuu noqon karaa diidmo^(Action) ama oggolaansho ^(Deny). ^(Permit)Tusaale ahaan, waxaan doortay Ogolaansho^(Permit) maadaama tani ay noqon doonto IP-ga la oggol yahay. Marka xigta^(Next) , waxaad ku dabaqi kartaa qaanuunka interface interface gaar ah oo ku saabsan qalabka ama waxaad ka tagi kartaa Dhammaan^(All) si ay u khuseyso dhammaan dekedaha.

Hoosta Codsiyada Ciwaanka IP-ga^{(Applies to Source IP Address)} , waa in aan dooranaa Isticmaalaha lagu qeexay^{( User Defined)} halkan ka dibna dooro nooca 4^{(Version 4)} , haddii aadan ka shaqeynin deegaanka IPv6 oo aad dooranayso nooca 6^{(Version 6)} . Hadda ku qor cinwaanka IP-ga ee loo oggolaan doono gelitaanka oo ku qor maaskaro shabakadeed oo u dhigma dhammaan qaybaha khuseeya si loo eego.

Tusaale ahaan, maadaama ciwaanka IP-gaygu yahay 192.168.1.233, ciwaanka IP-ga oo dhan wuxuu u baahan yahay in la baadho, markaa waxaan u baahanahay maaskaro shabakadeed 255.255.255.255. Haddii aan rabo in sharciga lagu dabaqo qof kasta oo ku jira subnet-ka oo dhan, markaa waxaan isticmaali lahaa maaskaro 255.255.255.0. Taasi waxay la macno tahay qof kasta oo leh ciwaanka 192.168.1.x waa la ogolaan doonaa. Taasi ma aha waxa aan rabo in aan sameeyo, si cad, laakiin waxaan rajeynayaa in taasi ay sharxayso sida loo isticmaalo maaskaro shabakadeed. Ogsoonow in maaskarada shabakadu aysan ahayn maaskaro-hoosaadka shabakadaada. Maaskarada shabakadu waxay si fudud u sheegtaa qaniinyada Cisco ay tahay inay eegto marka la dabaqayo qaanuunka.

Guji Codso^(Apply) oo waa inaad hadda haysataa muuqaal cusub oo gelitaan iyo sharci! Guji ^(Click)Xeerarka Profile^{( Profile Rules)} ee liiska gacanta bidix oo waa inaad aragto qaanuunka cusub ee ku taxan xagga sare.

Hadda waxaan u baahanahay inaan ku darno xeerkeena labaad. Si tan loo sameeyo, dhagsii badhanka ku dar^(Add) ee ka muuqda shaxda Xeerka Profile^{(Profile Rule Table)} .

Xeerka labaad runtii waa mid fudud. Marka hore, iska hubi in Magaca Helitaanka Profile^{(Access Profile Name)} uu yahay isla midka aan hadda abuurnay. Hadda, waxaan kaliya siineynaa sharciga mudnaanta 2 oo aan dooranay diidmada ^(Deny)Ficilka^(Action) . Hubi in wax kasta oo kale loo dejiyay Dhammaan^(All) . Tani waxay ka dhigan tahay in dhammaan ciwaannada IP-ga la xannibi doono. Si kastaba ha ahaatee, maadaama sharcigayaga ugu horreeya la hirgelin doono marka hore, cinwaanka IP-ga waa la oggolaan doonaa. Marka xeer la is waafajiyo, xeerarka kale waa la iska indhatiraa. Haddii ciwaanka IP-gu aanu ku habboonayn qaanuunka koowaad, waxa uu iman doonaa xeerkan labaad, halkaas oo uu ku habboonaan doono oo la xannibi doono. Fiican!

Ugu dambayntii, waa inaan dhaqaajinnaa astaanta gelitaanka cusub. Si taas loo sameeyo, ku laabo Access Profiles oo dooro astaanta cusub ee liiska hoos u dhaca ee xagga sare (oo ku xiga Profile Helitaanka Firfircoon^{(Active Access Profile)} ). Hubi inaad gujiso Codso^(Apply) oo waa inaad fiicnaataa inaad tagto.

Xasuusnoow^(Remember) in habayntu hadda ku kaydsan tahay habaynta ordaya. Hubi inaad aado Maamulka^{(Administration)} - Maareynta Faylka^{( File Management)} - Copy/Save Configuration si aad u nuqul ka sameyso qaabeynta socodsiinta qaabeynta bilowga.

Haddii aad rabto in aad u ogolaato in ka badan hal ciwaan IP ah in la galo furaha, kaliya samee xeer kale sida kii hore, laakiin sii mudnaan sare. Waa inaad sidoo kale hubisaa inaad beddeshay mudnaanta xeerka diidmada^(Deny) si uu u yeesho mudnaan sare marka loo eego dhammaan xeerarka oggolaanshaha^(Permit) . Haddii aad la kulanto wax dhibaato ah ama aadan heli karin tan in ay shaqeyso, xor u noqo inaad ku dhejiso faallooyinka waxaana isku dayi doonaa inaan ku caawiyo. Ku raaxayso!

Restrict Access to Cisco Switch Based on IP Address

For addеd security, I wanted to restrict аccess to my Cisco SG300-10 switсh to only one IP address in my local ѕubnet. After initially configuring my new switch a few weeks backs, I wasn’t happy knowing that anyone connected to my LAN or WLAN could get to the login page by just knowing the IP address for the device.

I ended up sifting through the 500-page manual to figure out how to go about blocking all IP addresses except the ones that I wanted for management access. After a lot of testing and several posts to the Cisco forums, I figured it out! In this article, I’ll walk you through the steps to configure access profiles and profiles rules for your Cisco switch.

Note: The following method I am going to describe also allows you to restrict access to any number of enabled services on your switch. For example, you can restrict access to SSH, HTTP, HTTPS, Telnet, or all of these services by IP address.

Create Management Access Profile & Rules

To get started, log into the web interface for your switch and expand Security and then expand Mgmt Access Method. Go ahead and click on Access Profiles.

The first thing we need to do is create a new access profile. By default, you should only see the Console Only profile. Also, you’ll notice at the top that None is selected next to Active Access Profile. Once we have created our profile and rules, we’ll have to select the name of the profile here in order to activate it.

Now click on the Add button and this should bring up a dialog box where you’ll be able to name your new profile and also add the first rule for the new profile.

At the top, give your new profile a name. All the other fields relate to the first rule that will be added to the new profile. For Rule Priority, you have to choose a value between 1 and 65535. The way Cisco works is that the rule with the lowest priority is applied first. If it doesn’t match, then the next rule with the lowest priority is applied.

In my example, I chose a priority of 1 because I want this rule to be processed first. This rule will be the one that allows the IP address that I want to give access to the switch. Under Management Method, you can either choose a specific service or choose all, which will restrict everything. In my case, I chose all because I only have SSH and HTTPS enabled anyway and I manage both services from one computer.

Note that if you want to secure only SSH and HTTPS, then you’ll need to create two separate rules. The Action can only be Deny or Permit. For my example, I chose Permit since this will be for the allowed IP. Next, you can apply the rule to a specific interface on the device or you can just leave it at All so that it applies to all ports.

Under Applies to Source IP Address, we have to choose User Defined here and then choose Version 4, unless you are working in an IPv6 environment in which case you would choose Version 6. Now type in the IP address that will be allowed access and type in a network mask that matches all the relevant bits to be looked at.

For example, since my IP address is 192.168.1.233, the whole IP address needs to be examined and hence I need a network mask of 255.255.255.255. If I wanted the rule to apply to everyone on the entire subnet, then I would use a mask of 255.255.255.0. That would mean anyone with a 192.168.1.x address would be permitted. That’s not what I want to do, obviously, but hopefully that explains how to use the network mask. Note that the network mask is not the subnet mask for your network. The network mask simply says which bits Cisco should look at when applying the rule.

Click Apply and you should now have a new access profile and rule! Click on Profile Rules in the left-hand menu and you should see the new rule listed at the top.

Now we need to add our second rule. To do this, click on the Add button shown under the Profile Rule Table.

The second rule is really simple. Firstly, make sure that the Access Profile Name is the same one we just created. Now, we just give the rule a priority of 2 and choose Deny for the Action. Make sure everything else is set to All. This means that all IP addresses will be blocked. However, since our first rule will be processed first, that IP address will be permitted. Once a rule is matched, the other rules are ignored. If an IP address doesn’t match the first rule, it’ll come to this second rule, where it will match and be blocked. Nice!

Finally, we have to activate the new access profile. To do that, go back to Access Profiles and select the new profile from the drop down list at the top (next to Active Access Profile). Make sure to click Apply and you should be good to go.

Remember that the configuration is currently only saved in the running config. Make sure you go to Administration – File Management – Copy/Save Configuration to copy the running config to the startup config.

If you want to allow more than one IP address access to the switch, just create another rule like the first one, but give it a higher priority. You’ll also have to make sure that you change the priority for the Deny rule so that it has a higher priority than all of the Permit rules. If you run into any problems or can’t get this to work, feel free to post in the comments and I’ll try to help. Enjoy!

Phoenix Schultz

About the author

Waxaan ahay injineer maqal ah oo xirfad leh oo leh khibrad 10 sano ka badan. Waxaan ka shaqeynayay warshadaha muusikada dhowrkii sano ee la soo dhaafay, waxaanan ku yeeshay sumcad xooggan gudaha goobtaas. Waxaan sidoo kale ahay koontada isticmaale ee khibrad sare leh iyo hawlwadeenka badbaadada qoyska. Mas'uuliyadahayga waxaa ka mid ah maaraynta xisaabaadka isticmaalaha, bixinta taageerada macaamiisha, iyo bixinta talooyinka badbaadada qoyska shaqaalaha.

Xakameyn gelitaanka Sisiko beddelka iyadoo ku saleysan cinwaanka IP-ga

Abuur Macluumaadka Helitaanka Maamulka^{(Create Management Access Profile)} & Xeerarka^(Rules)

Restrict Access to Cisco Switch Based on IP Address

Create Management Access Profile & Rules

Phoenix Schultz

About the author

Related posts

Sida loo Helo Ciwaanka IP-ga ee Daabacahaaga WiFi ee Windows iyo Mac

Sida loo sahlo gelitaanka SSH ee Cisco SG300 Switches

Sida loo dejiyo Ciwaanka IP Static gudaha Windows 11/10

Sida loo Helo Ciwaanka IP-ga ee Router-kayga?

Sida loogu meeleeyo Ciwaanka IP Static Windows 11/10 PC

Sida Loo Qaado Screenshots on Nintendo Switch

Demi Koontaroolada Koontada Isticmaalaha (UAC) ee Codsi Gaar ah

Ku rakibida GIMP Plugins: Habka-Hagaha

HDG Wuxu Sharaxay: Waa maxay Ciwaanka IP-ga & Runtii Ma Iga Baafin Karaa Albaabkayga?

Sida loo galo iMessage on Windows 10/11

Samee Jidka Gaaban ee Kiiboodhka si aad si badbaado leh u gasho Ka saar Wadahadalka Hardware

Sida loo galo Qaybaha Linux ee Windows

5 App-ka Qarsoon ee Ciwaanka IP ugu Fiican ee Android 2022

HDG wuxuu sharxayaa: Waa maxay Ciwaanka IP-ga ee gaarka ah & Miyaan helaa mid?

Dib-u-eegis Buugaag - Hagaha sida-Geek-ga loo barto ee Windows 8

Sida loo dejiyo ciwaanka gurigaaga khariidadaha Google

Sida loo galo oo loo beddelo Settings WiFi Router kaaga

Router vs Switch vs Hub vs Modem vs Access Point vs Gateway

Sida loo beddelo ciwaanka IP-gaaga Windows 10 (& sababta aad u rabto)

Sida loo Helo Ciwaanka IP-ga Dadweynaha

Xakameyn gelitaanka Sisiko beddelka iyadoo ku saleysan cinwaanka IP-ga

Abuur Macluumaadka Helitaanka Maamulka(Create Management Access Profile) & Xeerarka(Rules)

Restrict Access to Cisco Switch Based on IP Address

Create Management Access Profile & Rules

Phoenix Schultz

About the author

Related posts

Sida loo Helo Ciwaanka IP-ga ee Daabacahaaga WiFi ee Windows iyo Mac

Sida loo sahlo gelitaanka SSH ee Cisco SG300 Switches

Sida loo dejiyo Ciwaanka IP Static gudaha Windows 11/10

Sida loo Helo Ciwaanka IP-ga ee Router-kayga?

Sida loogu meeleeyo Ciwaanka IP Static Windows 11/10 PC

Sida Loo Qaado Screenshots on Nintendo Switch

Demi Koontaroolada Koontada Isticmaalaha (UAC) ee Codsi Gaar ah

Ku rakibida GIMP Plugins: Habka-Hagaha

HDG Wuxu Sharaxay: Waa maxay Ciwaanka IP-ga & Runtii Ma Iga Baafin Karaa Albaabkayga?

Sida loo galo iMessage on Windows 10/11

Samee Jidka Gaaban ee Kiiboodhka si aad si badbaado leh u gasho Ka saar Wadahadalka Hardware

Sida loo galo Qaybaha Linux ee Windows

5 App-ka Qarsoon ee Ciwaanka IP ugu Fiican ee Android 2022

HDG wuxuu sharxayaa: Waa maxay Ciwaanka IP-ga ee gaarka ah & Miyaan helaa mid?

Dib-u-eegis Buugaag - Hagaha sida-Geek-ga loo barto ee Windows 8

Sida loo dejiyo ciwaanka gurigaaga khariidadaha Google

Sida loo galo oo loo beddelo Settings WiFi Router kaaga

Router vs Switch vs Hub vs Modem vs Access Point vs Gateway

Sida loo beddelo ciwaanka IP-gaaga Windows 10 (& sababta aad u rabto)

Sida loo Helo Ciwaanka IP-ga Dadweynaha

Abuur Macluumaadka Helitaanka Maamulka^{(Create Management Access Profile)} & Xeerarka^(Rules)