• September 19, 2020, 06:43:07 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Make VLAN not MGM on Nortel 8630  (Read 2912 times)

0 Members and 1 Guest are viewing this topic.

Offline dimitry-nov

  • Rookie
  • **
  • Posts: 8
Make VLAN not MGM on Nortel 8630
« on: May 27, 2014, 03:37:33 AM »
Hello!
Sorry for my English.
I have LAN with 2 router Nortel 8630. They use VRRP and SMLT. 
Every vlan in my LAN have 2 adress of router, X.X.X.200 and X.X.X.201. VRRP is x.x.x.1
But I was shocked when I find that every vlan use this adresses for managment routers. SNMP, HTTP and other services can access from all hosts.
I want that only one vlan be MGM. How can I block MGM services on other Vlans?


Offline Théo

  • Jr. Member
  • **
  • Posts: 34
Re: Make VLAN not MGM on Nortel 8630
« Reply #1 on: May 27, 2014, 08:14:07 AM »
Hi Dimitry-nov,

You can filter management access with access-policy.
For exemple, you can define services (http, ftp, telnet, ssh...) and specify a host or a subnet.
So, in your case, you can just specify the subnet associated to your MGMT vlan.
commands start by "config sys access-policy policy <ID>"
If you want more information about access-policy, ask again ;)

regards,

Théo
ACIS 6103 - ACSS 3605

Offline dimitry-nov

  • Rookie
  • **
  • Posts: 8
Re: Make VLAN not MGM on Nortel 8630
« Reply #2 on: May 28, 2014, 12:27:19 AM »
I try to apply same configs, but It don't work.

Please, show me how do that:
Vlan 1. Subnet 192.168.1.0/24. VRRP Address 192.168.1.1 R1 - 192.168.1.200 R2 - 192.168.1.201
Vlan 2. Subnet 192.168.2.0/24. VRRP Address 192.168.2.1 R1 - 192.168.2.200 R2 - 192.168.2.201

Who can I enable telnet,snmp,ftp,http on vlan 1 router interfaces and disable on vlan 2 router interfaces?

Offline jfarinha

  • Full Member
  • ***
  • Posts: 67
Re: Make VLAN not MGM on Nortel 8630
« Reply #3 on: June 01, 2014, 12:01:53 PM »
I am not sure you can accomplish what you are trying to do...

The 8600 is still the same, independently of the IP address you use to connect to it, 192.168.1.1 or 192.168.2.1.

Now what you can do and was explained by Theo was to limit management access to a few source IP addresses. For example, you can define that only devices with a source address in the subnet 192.168.1.0/24 can do management activities. Or you can even be more specific and define that only a specific host can manage your 8600's, like 192.168.1.10 (if that was your management station).

It can be sone with the sintax (example for two policies on the same switch):

sys access-policy enable true
sys access-policy policy 1 network 192.168.1.10/255.255.255.255
sys access-policy policy 1 service ftp enable
sys access-policy policy 2 create
sys access-policy policy 2 name "Management Network"
sys access-policy policy 2 network 192.168.1.0/255.255.255.0
sys access-policy policy 2 service http enable
sys access-policy policy 2 service telnet enable
sys access-policy policy 2 service tftp enable
sys access-policy policy 2 service ftp enable
sys access-policy policy 2 service snmp enable

And in this case, altough only hosts in the 192.168.1.0/24 can access the management services of the 8600's, the can use any of the IP addresses of the equipment to connect (192.168.1.1 or 192.168.2.1).

I hope it works for you!