Access Control

Access to the Cisco Nexus 3550-F Fusion (formerly ExaLINK Fusion) management interface can be controlled through access control rules, which can be used to allow or deny specific IP address ranges.

Care should be taken when specifying access control rules, otherwise it is possible to block all access. If services are used that require access to other servers, such as SNMP or TACACS+, remember to add rules to allow access to those machines.

Configuring Access Control

Typically rules are set to allow a certain range of addresses and block all others. Add the allow rules before the deny rules.

To grant access to connections originating from IP addresses 192.168.220.* and 192.168.7.1:

admin@N3550-F> configure management access-list allow 192.168.220.0/24
Access control rules updated
admin@N3550-F> configure management access-list allow 192.168.7.1
Access control rules updated
admin@N3550-F> show management access-list
Policy Address
------ -------------
allow  192.168.220.0/24
allow  192.168.7.1

To deny access from all other addresses:

admin@N3550-F> configure management access-list deny 0.0.0.0/0
Access control rules updated
admin@N3550-F> show management access-list
Policy Address
------ -------------
deny   0.0.0.0/0
allow  192.168.220.0/24
allow  192.168.7.1

To reset the rules:

admin@N3550-F> configure no management access-list
Access control rules reset

Recovery

If the rules are entered in the wrong order, or are entered incorrectly, you can block your own access. To recover from this, simply use the serial port of the Nexus 3550-F for access to log on and change the rule set.