Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
973
Views
0
Helpful
4
Replies

IP binding

Go to solution
ATtheincredibleaf
Level 1
Level 1

‎06-11-2013 10:42 AM - edited ‎03-07-2019 01:50 PM

Hi all,

I would like to know about setting up management access to network infrastructure devices.

Using my home test network, I have my Cisco router and my switch on the same management subnet.

For convenience, I want to block management access from all but my Android phone (running ssh client) and laptop connected by WiFi access point plugged into the router and on a home appliance / wireless access vlan.

Should I do this by binding the router leased IP addresses for these devices to their MAC address so I know their IP won't change, and then add these IPs to a permit ACL?

I know this isn't going to be best practice, but is this the way to achieve what I would like, or is there a better way?

Also in general, when should you bind IP to MAC and when should you manually give a device a static IP?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to ATtheincredibleaf

‎06-11-2013 04:48 PM

You can apply the access list per host if you don't want allow everything in that subnet.  For example: the access list below allows access from hosts 192.168.1.15, 16, 17 and nothing else.

access-list 50 permit host 192.168.1.15

access-list 50 permit host 192.168.1.16

access-list 50 permit host 192.168.1.17

and so on.....

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎06-11-2013 10:54 AM

Hi,

If you want only certain ip range to access the network devices, then you can simply allow that subnet.

In this example, your phone, laptop and Wifi are all in 192.168.1.0 subnet.

Create the access list

access-list 50 permit 192.168.1.0  0.0.0.255

then apply it to the vty line

line vty 0 4

access-class 50 in

and test

HTH

0 Helpful

Go to solution
ATtheincredibleaf
Level 1
Level 1
In response to Reza Sharifi

‎06-11-2013 02:01 PM

Thanks for the reply, but that would only block access to the management of the router, and not the other devices in the management vlan.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to ATtheincredibleaf

‎06-11-2013 04:48 PM

You can apply the access list per host if you don't want allow everything in that subnet.  For example: the access list below allows access from hosts 192.168.1.15, 16, 17 and nothing else.

access-list 50 permit host 192.168.1.15

access-list 50 permit host 192.168.1.16

access-list 50 permit host 192.168.1.17

and so on.....

HTH

0 Helpful

Go to solution
ATtheincredibleaf
Level 1
Level 1
In response to Reza Sharifi

‎06-11-2013 07:48 PM

I'm not sure you understand me.

I want to control access to all devices in the management vlan, not just the Cisco router.

0 Helpful
Customers Also Viewed These Support Documents
Top