Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 12
Registered: ‎06-21-2011

How to restrict management access to Brocade 8510-4?

Im looking to restrict telnet, SSH, HTTP, HTTPS to our Brocade 8510-4.  Im also going to setup a Network Advisor server to manage the entire environment.  How do I restrict access to just this server?

Thanks in advance.

Todd

Frequent Contributor
Posts: 118
Registered: ‎06-15-2009

Re: How to restrict management access to Brocade 8510-4?

Discussion moved to Fibre Channel (SAN) Forum

Valued Contributor
Posts: 931
Registered: ‎12-30-2009

Re: How to restrict management access to Brocade 8510-4?

You could setup an ACL with the ipfilter command.

Execute help ipfilter to find the man page on syntax parameters etc.

Be aware you could look yourself out of your switch (on the network level).

Also I would not setup a policy with just one allowed ip adress (in this case your BNA).

Should that server be unavailable you've locked yourself out until the server is back online

Of course you can always regain control using your serial connection.

Occasional Contributor
Posts: 12
Registered: ‎06-21-2011

Re: How to restrict management access to Brocade 8510-4?

ipfilter --clone BlockedMGMT_v4 -from default_ipv4

Name: default_ipv4, Type: ipv4, State: active

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

Name: BlockedMGMT_v4, Type: ipv4, State: defined (modified)

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

ipfilter --activate BlockedMGMT_v4

ipfilter --save BlockedMGMT_v4

prdsanswa01:FID128:admin> ipfilter --show

Name: default_ipv4, Type: ipv4, State: defined

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

Name: BlockedMGMT_v4, Type: ipv4, State: active

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23     permit

3     any                                            tcp       80     permit

4     any                                            tcp      443     permit

5     any                                            udp      161     permit

6     any                                            udp      123     permit

7     any                                            tcp      600 - 1023     permit

8     any                                            udp      600 - 1023     permit

ipfilter –addrule BlockedMGMT_v4 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter --save BlockedMGMT_v4

********Modified active policy must be activated before performing this operation************

ipfilter --activate BlockedMGMT_v4

ipfilter --show

Name: BlockedMGMT_v4, Type: ipv4, State: active

Rule Source IP Protocol   Dest Port   Action

1     any                                            tcp       22     permit

2     any                                            tcp       23       deny <--- *** To turn off telnet this must be before the permit rule #3 for telnet ***

3     any                                            tcp       23     permit

4     any                                            tcp       80     permit

5     any                                            tcp      443     permit

6     any                                            udp      161     permit

7     any                                            udp      123     permit

8     any                                            tcp      600 - 1023     permit

9     any                                            udp      600 - 1023     permit

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.