HPE Community
HPE Storage Networking - Switches
1753401 Members
7313 Online
108792 Solutions
New Discussion

SAN switch management port access restriction

 
jclee
Occasional Contributor

‎04-03-2019 12:56 AM

‎04-03-2019 12:56 AM

SAN switch management port access restriction

Hi

I have a question with SAN switch management port.
Customer is using Brocade 8Gb SAN Switch and wants to restrict the management port login for security.

For example :
==============

switch IP :10.77.77.77   Customer PCs IP : 10.77.77.1 ~77.

Customer want to allow only 3 IPs(10.77.77.1~3) to login(ssh/telnet) to the management port.
Is it possible through setting any parameter on the switch side?

0 Kudos
Reply
3 REPLIES 3
Marian_Bezeg
Occasional Visitor

‎04-05-2019 05:27 AM

‎04-05-2019 05:27 AM

Re: SAN switch management port access restriction

Hello,

 

its possible via IP filters. use command bellow to to display current settings.

ipfilter --show

Example:

Name: default_ipv4, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

If you would like to change something there, you have to clone current config, adjust rules and activate (cloned one) it.

There is more info in admin guide or direclty on switch via command:

help ipfilter

Be sure that your serial connection is wroking, because if you block all IPs via ssh/telnet there will be no a lot of chances how to connect to the switches, probably only via web gui.

 

 

 

 

 

 

0 Kudos
Reply
Paul28
HPE Pro

‎04-07-2019 03:02 AM

‎04-07-2019 03:02 AM

Re: SAN switch management port access restriction

>> The following may help ; ipFilter commands from Brocade Fabric OS command reference

Step 1: Check current configuration : #ipfilter --show
Step 2: Clone current configuration : ipfilter --clone policyname -from src_policyname
Step 3: Modify cloned configuration and save it. : ipfilter --save [policyname]
Step 4: Activate new firewall configuration : ipfilter --activate policyname

DESCRIPTION :
Use this command to manage IP filter policies. The ipFilter command and command options are
noninteractive, except when prompting for a confirmation.
The IP filter policy sets up a packet filtering firewall to provide access control on the management IP
interface. The IPv4 and IPv6 policies are either in the defined configuration or in the active configuration.
Excluding the default policies, there can be a maximum of six policies in the defined configuration and
one policy per IPv4 and IPv6 type in the active configuration.
The active policy must be the default policy or one of the policies in the defined configuration. Only the
active policies are enforced. All of the ipFilter options except --show and --transabort, create a
transaction owned by the management session initiating the commands.


I'm an HPE Employee

Accept or Kudo

0 Kudos
Reply
Marian_Bezeg
Occasional Visitor

‎04-10-2019 02:56 AM

‎04-10-2019 02:56 AM

Re: SAN switch management port access restriction

Hello,

with these steps he will not acchive restriction of particular protocol, only clone of rule will be executed.

The modify of current rules and creation of new one is must.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.