Extreme Switch Management Access Configuration

                        

This configuration guide is based on a brand new switch out of the box. In order to gain control of the switch quickly and securley follow this guide.

Anything in [BRACKETED BOLD] will need to replaced with your system details.

First of all remove all ports out of the default VLAN, create a management VLAN and use the tag command to assign a VLAN number to the new management VLAN.Configure the management VLAN with and IP address and subnet mask and the enable IP routing on the management VLAN.

configure vlan Default delete ports all
create vlan [MANAGEMENT VLAN NAME]
configure vlan [MANAGEMENT VLAN NAME] tag [802.1Q VLAN TAG]
configure vlan [MANAGEMENT VLAN NAME] ipaddress [MANAGEMENT IP]
enable ipforwarding vlan [MANAGEMENT VLAN NAME]

We now need to consider a safe method of remote access to switch. These days clear text protocols like telnet is not an option. So whats the alternative? SSH is the way to go! Use the below commands to disable Telnet and enable SSH

disable telnet
disable web http
disable web https
configure ssh2 key
enable ssh2
enable ssh2 access-profile [MANAGEMENT ACL]
configure idletimeout [TIME IN MINUTES]
enable idletimeout

You should of noticed the the “enable ssh2 access-profile [MANAGEMENT ACL]” command, this allows the administrator to define a access-list, which can be written to restrict SSH access only from the management subnet. I’ll show you how this is done.

Extreme XOS has a built in text editor call vi which you may of come across whilst using Unix/Linux based systems.

This allows you create a access-list using sequence of if, then, permit and deny commands. This is how its done!

 

vi MANAGE_ACL.pol

 

# Limits Management Access to Switch
# Last Updated – 23/3/11 by mblackwell

entry PERMIT_MANAGE {
if {
source-address [MANAGEMENT SUBNET];
} then {
permit;
}
}

entry DENY {
if {
} then {
deny;
}
}

:wq

Share and Enjoy:
  • Facebook
  • Google Bookmarks
  • Digg
  • email
  • LinkedIn
  • Live

Leave a Reply