Solved: Sorry, I tried to say "subnet

aseem1234 · ‎02-15-2017

Hi all,

I need some help with some access profiles rules I have created on my SG300-10 switch. Basically, I'm trying to restrict access to the HTTPS web GUI via IP address.

I went to Security - Management Access Method and clicked on Access Profiles. I then created new profile with two rules:

1. The first rule I gave a priority of 1 and applied it to all interfaces. For the source IP, I typed in the IP address that I want to permit. I selected Permit for this rule.

2. The second rule I gave a priority of 2 and applied it to all interfaces also. For this rule, I applied the rule to all source IP addresses and I selected Deny.

I also made sure to select the new profile under the Active Access Profile section.

The problem is that I can access the management interface from any IP address still. I'm not sure what's wrong with my rules. I thought the lower priority rule was supposed to be processed first and then the higher priority rules?

I have also attached screenshots of the two rules.

Thanks in advance!

Aseem

Diana Karolina Rojas · ‎02-15-2017

Sorry, I tried to say "subnet mask", change this from 255.255.255.0 to 255.255.255.255.

Regards,

PD: Please remember rate the answer if this information was useful.

View solution in original post

Diana Karolina Rojas · ‎02-15-2017

Hello good afternoon!

Question: Are the other computers (to which you want to limit access) on the same subnet (192.168.1.0/24) as the machine you want to allow (192.168.1.233)?

Try changing rule 1 by setting the Mask as a host, that is /32 (255.255.255.255).

Regards,

PD: Please remember rate the answer if this information was useful.

aseem1234 · ‎02-15-2017

Hi,

Thanks for the help. I'm trying to block all other IP addresses on the subnet from accessing the GUI except for 192.168.1.233.

I looked at rule 1 and there doesn't seem to be any way to add a MAC address. It just asks for IPv4 or IPv6 addresses. When I tried to enter a MAC address into that field, it gives an error stating that it's not a valid IPv4 address.

Any particular reason why these two rules aren't working? Shouldn't they be working as is?

Thanks,

Aseem

Diana Karolina Rojas · ‎02-15-2017

Sorry, I tried to say "subnet mask", change this from 255.255.255.0 to 255.255.255.255.

Regards,

PD: Please remember rate the answer if this information was useful.

aseem1234 · ‎02-15-2017

Hi,

YES THAT WORKED! Can you explain why this works? It doesn't make any sense to me at all. Is there a support article from Cisco explaining this online as well?

Thanks very much for your excellent help!

Diana Karolina Rojas · ‎02-15-2017

Hi!

The rules you are configuring work as an access list, the mask that you place will tell the router which bits will be significant when providing the access permission, by placing the mask /24 (255.255.255.0) you are allowing the entire network 192.168.1.X has access because the last octet whose bits are 0 is not taken into account. By placing a mask /32 all the bits of the IP address requesting the access are taken into account and that is why alone when the request comes from the IP 192.168.1.233 is accepted.

It was a pleasure to have helped you,

aseem1234 · ‎02-15-2017

Ahh I see...I was thinking of that was kind of a subnet mask, but that's why it says network mask. Now it makes perfect sense. Thanks again!

Need help with Access Profiles rules for Management Access