For added security, I wanted to restrict access to my Cisco SG300-10 switch to only one IP address on my local subnet. After initially setting up my new switch a few weeks ago, I was unhappy to learn that anyone connected to my local or wireless network can get to the login page simply by knowing the device’s IP address.
I ended up going through a 500 page manual to figure out how to block all IPs except the ones I need to access control. After a lot of testing and a few posts on the Cisco forums, I figured it out! In this article, I will walk you through how to configure access profiles and profile rules for a Cisco switch.
Note. The next method I’m going to describe also allows you to restrict access to any number of enabled services on your switch. For example, you can restrict access to SSH, HTTP, HTTPS, Telnet, or all of these services by IP address.
Create an access profile for administration and rules
To get started, log into your switch web interface and expand Security, and then expand Mgmt Access Method. Go ahead and click on “Access Profiles”.
The first thing we need to do is create a new access profile. By default, you should only see the Console Only profile. Also, you will notice at the top that next to the Active Access Profile is set to None. After we have created our profile and rules, we will need to select a profile name here to activate it.
Now click the Add button and a dialog box should appear where you can name your new profile and add the first rule for the new profile.
At the top, give your new profile a name. All other fields refer to the first rule that will be added to the new profile. You must select a value between 1 and 65535 for the priority of the rule. The way Cisco works is that the rule with the lowest priority is applied first. If it doesn’t match, the next lowest priority rule is applied.
In my example, I chose priority 1 because I want this rule to be processed first. This rule will be the one that allows the IP address that I want to give access to the switch. In the “Management method” section, you can choose a specific service or anything that will restrict everything. In my case, I chose everything because I only have SSH and HTTPS enabled anyway, and I manage both services from the same computer.
Please note that if you only want to secure SSH and HTTPS, you will need to create two separate rules. The action can only be “Deny” or “Allow”. In my example, I chose Permit, as this will be for the resolved IP. Then you can apply the rule to a specific interface on the device, or just leave it as All so that it applies to all ports.
In the Applies to Source IP section, we have to select User Defined here and then select Version 4, unless you are running in an IPv6 environment, in which case you would select Version 6. Now enter the IP address that will be allowed access and enter in the netmask that matches all the relevant bits to look out for.
For example, since my IP address is 192.168.1.233, I need to check the entire IP address, and hence I need the netmask 255.255.255.255. If I wanted the rule to apply to everyone in the entire subnet, I would use the mask 255.255.255.0. This will mean that anyone with the 192.168.1.x address will be allowed. Obviously I don’t want to do this, but hopefully it explains how to use a netmask. Please note that the netmask is not the subnet mask for your network. The netmask simply tells which bits Cisco should look at when applying the rule.
Click Apply and you should now have a new access profile and rule! Click on “Profile Rules” in the left menu and you should see a new rule listed at the top.
Now we need to add our second rule. To do this, click the Add button under the profile rules table.
The second rule is really simple. First, make sure the access profile name matches the one we just created. Now we just give the rule a priority of 2 and choose Deny for the action. Make sure everything else is set to Everything. This means that all IP addresses will be blocked. However, since our first rule will be processed first, this IP address will be resolved. After matching a rule, other rules are ignored. If the IP address does not match the first rule, it goes to the second rule where it will match and be blocked. Excellent!
Finally, we need to activate the new access profile. To do this, go back to Access Profiles and select a new profile from the drop-down list at the top (next to Active Access Profile). Be sure to click Apply and you’re done.
Remember that the configuration is currently only saved in the current configuration. Make sure you go to Administration – File Management – Copy / Save Configuration to copy the current configuration to the launch configuration.
If you want to allow more than one IP address to access the switch, simply create another rule similar to the first, but give it a higher priority. You should also make sure that you change the priority of the Deny rule to take precedence over all Permit rules. If you run into problems or can’t get this to work, feel free to write in the comments and I’ll try to help. Enjoy!