Configuring Permit Lists
The IP permit list is a feature of the CatOS that permits authorized Telnet and SNMP access to the switch only from authorized source IP addresses. IP permit lists do not affect traffic that is transiting the switch or that is locally originated by the switch. IP permit lists only affect inbound Telnet and SNMP traffic with a destination address as that of the management address of the switch.
Each IP permit entry consists of an IP address and subnet mask pair that is permitted Telnet or SNMP access. If a mask for an IP permit list entry is not specified, or if a hostname is entered instead of an IP address, the mask has an implicit value equal to all 1s, which effectively means match according to host address. There is a limit on the number of permit entries that can be configured on the switch; the maximum is 100 entries.
To configure IP permit lists on a switch running CatOS code, use the following commands:
1.Use this command to enable the IP permit list for Telnet, SNMP, or SSH access:
set ip permit enable <telnet | snmp | ssh>
2.Use this command to specify the IP addresses that are added to the permit list:
set ip permit <ip_address> <mask> <telnet | snmp | ssh | all>
Figure B.1 displays a small network that has devices, which need network management access to the switch. Telnet access into the switch should be allowed from any machine within the network. The following code is an example of configuring an IP permit list for the Catalyst switch in Figure B.1 using CatOS code:
set ip permit enable telnet
set ip permit enable snmp
set ip permit 192.168.0.0 255.255.0.0 telnet
set ip permit 192.168.24.12 snmp
set ip permit 192.168.24.15 snmp
set ip permit 192.168.24.16 snmp
set ip permit 192.168.40.250 snmp
Figure B.1: Catalyst switch using IP permit lists.