How to limit management access to ERS/VSP?

[sergey_ta]

Hello!
In documentation for ERS-4000/5000  (NN48500-594) I found possibility to limit management (telnet, ssh, snmp, web) access to switch by one ACL:

ERS-Stackable(config)# ipmgr ?
snmp   Enable IP Manager control over SNMP traffic.
source-ip  Set source IP address from which connections are allowed
ssh  Enable IP Manager control over SSH sessions.
telnet  Enable IP Manager control over TELNET sessions.
web  Enable IP Manager control over WEB connections.

I want to provide managment access to switches only for management subnet and restrict for others (for example in LAN users would have default gateway on ERS switch but I don’t want that they could telnet/ssh to this switch). For this purpose I could apply ACL for every L3 interface on switch but it is not very scalable. As far as I understand I could use one “special” ACL – ipmgr, am I right? Do somebody use it?
I try to find something like this for ERS8800/VSP9000 but could not. What is the simplest way to limit access to ERS8800/VSP9000?

[Dominik]

You can handele the management access to a ERS8k with access-policys.

In this document you can find more informations about access-policys:
http://downloads.avaya.com/css/P8/documents/100123898

Here is an example how to limit the access for SNMPv3 and SSH:

Code: [Select]

sys access-policy enable true
sys access-policy policy 1 mode deny
sys access-policy policy 1 service snmpv3 enable
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 name "YOUR Policy Name"
sys access-policy policy 2 username ""
sys access-policy policy 2 network x.x.x.x/24
sys access-policy policy 2 service ssh enable
sys access-policy policy 2 service snmpv3 enable
Good Luck

[sergey_ta]

Dominik, thank you!