Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
![Netgear](https://files.manualsbrain.com/attachments/cf1ad5de25a3f8d6c88ef0ab489c1b137eebe11f/common/fit/150/50/17742d1e0cdacf24edeb88c30757620088415c5f7699f69b4517262e21e0/brand_logo.jpeg)
508
|
Chapter 17. Security
NETGEAR 8800 User Manual
Using ACLs to Control SSH2 Access
You can restrict SSH2 access by creating and implementing an ACL policy. You configure an
ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH2
port.
ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH2
port.
The two methods to load ACL policies to the switch are:
•
Use the
edit policy
command to launch a VI-like editor on the switch. You can create the
policy directly on the switch.
•
Use the
tftp
command to transfer a policy that you created using a text editor on another
system to the switch.
For more information about creating and implementing ACLs and policies, see
and
.
Sample SSH2 Policies
The following are sample policies that you can apply to restrict SSH2 access.
In the following example named MyAccessProfile.pol, the switch permits connections from
the subnet 10.203.133.0/24 and denies connections from all other addresses:
the subnet 10.203.133.0/24 and denies connections from all other addresses:
MyAccessProfile.pol
Entry AllowTheseSubnets {
if {
source-address 10.203.133.0 /24;
}
then
{
permit;
}
}
In the following example named MyAccessProfile.pol, the switch permits connections from
the subnets 10.203.133.0/24 or 10.203.135.0/24 and denies connections from all other
addresses:
the subnets 10.203.133.0/24 or 10.203.135.0/24 and denies connections from all other
addresses:
MyAccessProfile.pol
Entry AllowTheseSubnets {
if match any {
source-address 10.203.133.0 /24;
source-address 10.203.135.0 /24;
}
then
{
permit;
}
}
In the following example named MyAccessProfile_2.pol, the switch does not permit
connections from the subnet 10.203.133.0/24 but accepts connections from all other
addresses:
connections from the subnet 10.203.133.0/24 but accepts connections from all other
addresses: