cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
0
Helpful
4
Replies

IP binding

Hi all,

I would like to know about setting up management access to network infrastructure devices.

Using my home test network, I have my Cisco router and my switch on the same management subnet.

For convenience, I want to block management access from all but my Android phone (running ssh client) and laptop connected by WiFi access point plugged into the router and on a home appliance / wireless access vlan.

Should I do this by binding the router leased IP addresses for these devices to their MAC address so I know their IP won't change, and then add these IPs to a permit ACL?

I know this isn't going to be best practice, but is this the way to achieve what I would like, or is there a better way?

Also in general, when should you bind IP to MAC and when should you manually give a device a static IP?

Thanks.

1 Accepted Solution

Accepted Solutions

You can apply the access list per host if you don't want allow everything in that subnet.  For example: the access list below allows access from hosts 192.168.1.15, 16, 17 and nothing else.

access-list 50 permit host 192.168.1.15

access-list 50 permit host 192.168.1.16

access-list 50 permit host 192.168.1.17

and so on.....

HTH

View solution in original post

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

If you want only certain ip range to access the network devices, then you can simply allow that subnet.

In this example, your phone, laptop and Wifi are all in 192.168.1.0 subnet.

Create the access list

access-list 50 permit 192.168.1.0  0.0.0.255

then apply it to the vty line

line vty 0 4

access-class 50 in

and test

HTH

Thanks for the reply, but that would only block access to the management of the router, and not the other devices in the management vlan.

You can apply the access list per host if you don't want allow everything in that subnet.  For example: the access list below allows access from hosts 192.168.1.15, 16, 17 and nothing else.

access-list 50 permit host 192.168.1.15

access-list 50 permit host 192.168.1.16

access-list 50 permit host 192.168.1.17

and so on.....

HTH

I'm not sure you understand me.

I want to control access to all devices in the management vlan, not just the Cisco router.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: