Configuration Examples for IP-ACL

To define an IP-ACL that restricts management access using Device Manager, follow these steps:

  1. Choose Security > IP ACL.

    2. You see the IP-ACL dialog box.

  2. Click Create to create an IP-ACL.

    3. You see the Create IP ACL Profiles dialog box.

  3. Enter RestrictMgmt as the profile name and click Create.

    4. This creates an empty IP-ACL named RestrictMgmt .

  4. Select RestrictMgmt and click Rules.

    5. You see an empty list of IP filters associated with this IP-ACL.

  5. Click Create to create the first IP filter.

    6. You see the Create IP Filter dialog box.

  6. Create an IP filter to allow management communications from a trusted subnet:
    1. Choose the permit Action and select 0 IP from the Protocol drop-down menu.
    2. Set the source IP address to 10.67.16.0 and the wildcard mask to 0.0.0.255.

      3. Note     The wildcard mask denotes a subset of the IP address you want to match against. This allows a range of addresses to match against this filter.

    3. Check the any check box for the destination address.
    4. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.

    Repeat Step a through Step d to create an IP filter that allows communications for all addresses in the 10.67.16.0/24 subnet.

  7. Create an IP filter to allow ICMP ping commands:
    1. Choose the permit Action and select 1-ICMP from the Protocol drop-down menu.
    2. Check the any check box for the source address.
    3. Check the any check box for the destination address.
    4. Select 8 echo from the ICMPType drop-down menu.
    5. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.

    Repeat Step a through Step e to create an IP filter that allows ICMP ping.

  8. Create a final IP Filter to block all other traffic:
    1. Choose the deny Action and select 0 IP from the Protocol drop-down menu.
    2. Check the any check box for the source address.
    3. Check the any check box for the destination address.
    4. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
    5. Click Close to close the Create IP Filter dialog box.

    Repeat Step a through Step d to create an IP filter that blocks all other traffic.

  9. Apply the RestrictMgmt IP ACL to the mgmt0 interface:
    1. Click Security, select IP ACL, and then click the Interfaces tab in the IP ACL dialog box.
    2. Click Create.

      3. You see the Create IP-ACL Interfaces dialog box.

    3. Select mgmt0 from the Interfaces drop-down menu.
    4. Select the inbound Profile Director.
    5. Select RestrictMgmt from the ProfileName drop-down menu.
    6. Click Create to apply the RestrictMgmt IP-ACL to the mgmt0 interface.

    Repeat Step a through Step f to apply the new IP-ACL to the mgmt0 interface.


Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.