Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to block IP address access to a CatOS switch with the IP permit list

Resolution

The IP permit list prevents inbound Telnet and Simple Network Management Protocol (SNMP) access to the switch from unauthorized source IP addresses. All other TCP/IP services (such as IP traceroute and IP ping) continue to work normally when you enable the IP permit list. Outbound Telnet, TFTP, and other IP-based services are unaffected by the IP permit list.

Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from unauthorized IP addresses receive no response; the request times out.

To configure an IP permit list, issue the set ip permit ip_address [mask] [telnet | snmp | ssh] command.

To verify the IP permit list configuration, issue the show ip permit command.

This example shows how to add IP addresses to the IP permit list and verify the configuration:

Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet
172.16.0.0 with mask 255.255.0.0 added to telnet permit list.
Console> (enable) set ip permit 172.20.52.32 255.255.255.224 snmp
172.20.52.32 with mask 255.255.255.224 added to snmp permit list.
Console> (enable) set ip permit 172.20.52.3 all
172.20.52.3 added to IP permit list.
Console> (enable) show ip permit

Telnet permit list feature enabled.
Snmp permit list feature enabled.
Permit List        Mask                Access Type   
----------------   ----------------    -------------
172.16.0.0         255.255.0.0         telnet
172.20.52.3                            snmp telnet
172.20.52.32       255.255.255.224     snmp
Denied IP Address   Last Accessed Time Type    Telnet Count   SNMP Count
-----------------   ------------------ ------  ------------   ----------
172.100.101.104     01/20/97,07:45:20  SNMP              14         1430
172.187.206.222     01/21/97,14:23:05  Telnet             7          236

To enable the IP permit list, issue the set ip permit enable [telnet | snmp | ssh] command.

Before enabling the IP permit list, make sure you add the IP address of your workstation or network management system to the permit list, especially when configuring through SNMP. Failure to do so could result in your connection being dropped by the switch.

It is recommended that you disable the IP permit list before clearing IP permit entries or host addresses.

To disable the IP permit list, issue the set ip permit disable [telnet | snmp | ssh] command.

To clear the IP permit list, issue the clear ip permit {ip_address} [mask] [telnet | ssh | snmp | all] command.

This example shows how to clear an IP permit list entry:

Console> (enable) set ip permit disable all
Console> (enable) clear ip permit 172.100.101.102
172.100.101.102 cleared from IP permit list.
Console> (enable) clear ip permit 172.160.161.0 255.255.192.0 snmp
172.160.128.0 with mask 255.255.192.0 cleared from snmp permit list.
Console> (enable) clear ip permit 172.100.101.102 telnet
172.100.101.102 cleared from telnet permit list.
Console> (enable) clear ip permit all
IP permit list cleared.
Console> (enable)

For more information, refer to Configuring the IP Permit List.

Comments
New Member

set ip permit disable [telnet | snmp | ssh]

set ip telnet server disable 

cisco support forums

https://chat.whatsapp.com/2hFe5XSp0EWB8etRRLm8IK

4749
Views
0
Helpful
1
Comments