Management Acl Commands - Dell Networking 2024 Reference Manual

Management ACL Commands

Dell Networking N2000/N3000/N4000 Series Switches
In order to ensure the security of the switch management features, the
administrator may elect to configure a management access control list. The
Management Access Control and Administration List (ACAL) component is
used to ensure that only known and trusted devices are allowed to remotely
manage the switch via TCP/IP. Management ACLs are only configurable on
IP (in-band) interfaces, not on the out-of-band interface or the serial port.
Management ACLs are applied after all hardware based ACLs (ip access-list
and ipv6 access-list) have been applied. This allows the administrator to
configure hardware based filtering criteria for the in-band management and
then further refine that criteria with firmware based filtering supplied by the
management ACL capability.
When a Management ACAL is enabled, incoming TCP packets initiating a
connection (TCP SYN) and all UDP packets will be filtered based on their
source IP address and destination port. Additionally, other attributes such as
incoming port (or port-channel) and VLAN ID can be used to determine if
the traffic should be allowed to the management interface. When the
component is disabled, incoming TCP/UDP packets are not filtered and are
processed normally.
There is also an option to restrict all the above packets from the network
interface. This is done by specifying "console only" in the MACAL
component. If this is enabled, the systems management interface is only
accessible via the serial port. All TCP SYN packets and UDP packets are
dropped except UDP packets sent to the DHCP Server or DHCP Client
ports.
Commands in this Chapter
This chapter explains the following commands:
deny (management)
management access-class
permit (management)
show management access-class
Management ACL Commands
68
1495