Switch management access

Hello,
Cisco 3560 configured with management VLan10 ip 10.10.10.10 can be accessed via ssh, add new management interface VLan60 ip 10.10.60.10, also can access via ssh.
When I remove interface vlan 10, I can no longer access the switch, ip 10.10.60.10 is reachable, tried transport input to include telnet, same behavior.
What am I missing here?
Thanks
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560-48PS 12.2(53)SE2 C3560-IPBASEK9-M

Brendan
Is this switch meant to be acting as a L2 switch or a L3 switch ?
If it is L2 then disable ip routing and use the default gateway you have already configured
if it is L3 then remove the default gateway and add a default route using the same next hop IP eg.
ip route 0.0.0.0 0.0.0.0 10.10.60.1
Jon

Similar Messages

Query: Best practice SAN switch (network) access control rules?

Dear SAN experts,
Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
regards,
Will.

Hi William,
That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
for zones there are a few best practices:
* Default Zone: Don't use it. unless you're running Ficon.
* Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
* Don't mix zoning types: You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
* Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
* LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
* Read-Only exists, but again any modern array should be able to make a lun read-only.
* QoS on Zoning: Isn't really an ACL method, more of a congestion control.
VSANs are a way to separate your physical fabric into several logical fabrics. There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other. A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
They are quite logical to use and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
That's a very brief summary of the most important access-control-related Best Practices that come to mind. If any of this isn't clear to you or you require more detail, let me know. HTH!

Router Managment Access when interface is down

Hi,
Please see the topology attached.
We have a customer network with number of routers/switches. We have a management network to manage devices via telnet/ssh.
On switches we have a vlan interface for switch management while on routers we have sub-interfaces ( 802.1Q trunk, with encapsulation) connected back to the switch for the management.
Problem :
Customer has ask us to give them a access to router/switches, we have give them telnet/ssh access via management network, to access router remotely customer ssh router (the sub-interface IP address F0/0.10 on router), but when the router interface Fa0/0.10 is down ( because switch at the remote end is down), customer cannot the telnet/ssh to router.
How can I allow customer to keep accessing the router while sub-interface on the router is down ( which they are telneting to)? I am happy to change to router config, but not sure which bits.
I can't create the loopback interface and assign the IP address to it from the managment network as the router subinterface F0/0.10 is already have IP address from that subnet and router gives overlapping mask error message.
I created the new looback interface on router and give is the same IP as of F0/0.10 and configure F0/0.10 as a IP unumbered loopback 0, it;s not working either for me.
Can I somehow configure the router to respond to the telnet/ssh when subinteface is down- I am happy to move the addresses, create new interfaces , change routing etc. but I can't change the network subnet that is already assigned to customer.
Please see the topology attached.
Any idea from anyone.
Regards

Thanks for your responses.
I don't want to allocate the new subnet with /32 for the management as it will require many changes in the network such firewall etc.
There will be a single switch connected to the router physical interface F0/0, but there will be a multiple switches hanging off the first switch. ( all switches in the vlan10, including router sub-interface F0/0.10).
Customer will require access to both, switch(es) and router, customer understand that if the first switch ( that physically connects to the router interface F0/0 ) fails, access to all other switches will also fail, which is acceptable. At this point we must have access to router regardless we have lost access to the switch.
Customer want router to be accessible even if the switch(es) are down, as the router at the point router is fine and is still connected to the WAN network. Customer will lose the access to the switch(es) but should not lose the router access.
We have different IP subnets ( VRF's) for the customer data network ( LAN) and the router management, so I can't assign the router management IP address from the customer LAN subnet
Forgot to mentioned that we have three VRF's on router ( vrf-lite/ multi vrf) , one for customer data network, one for router management, one switch ( es) management.
Fa0/0.10 is in the switch management VRF, while router Loopback 0 is in the router VRF.
We have to maintain the vrf's to keep router and switch management traffic separate.
Router is always accessible to us ( not to customer) via router vrf hence its still available even if the router LAN management interface F0/0 is down.
Customer lose the access to both router and switch(es) if the F0/0 down.
The only option I can see would be to allocate a new subnet for customer router management and assign this to a new loopback and put under the switch management vrf.
Regards

SG300 - How to block managment access

Hello and thanks in advance for you help.
I have a SG300 switch working in layer 3 mode.
I created 3 VLANS and the intervlan communication is working fine. I want to know how to block acces to switch managment from the Vlans.
One of the vlan is allowed to access the switch but not the others vlans.
What is the best way to implement this? with ACL or with Managment Access Method, creating an access profile?
thanks againg!

Hi Angel
Access list work on packets traversing through the switch/
Try the following method to restrict access to the management interface.
Have a look at the GUI section on Security > Mgmt Access Method > Profile rules and see which methods or restrictions better suit your needs.
regards Dave

Changing switch management from default Vlan1

I'm in the process of changing some access layer switches and the distribution switch away from the default Vlan1 for switch management. I'm a little unclear on the native Vlan information. If I change the management vlan to lets say 299 do I need to change the trunk ports to reflect a native vlan of 299?

Not neccessarily. Just make sure you allow the new VLAN on the trunk.

Managing "Access Levels" on a domain level from Lync 2010 client

Hello,
Our company moved from Office Communicator 2007 R2 clients to Lync 2010 clients.
Previously in Office Communicator 2007 R2 client, it was possible to set default Access Levels for complete domains (instead of individual users only), using the Access Level Management view.
In the Lync 2010 this options seems to be missing. The management options per user are still there (by right-clicking a user), but the access to manage it for a domain is no longer visible.
Is there any way to manage Access Levels for domains, in a similar way we had in Communicator 2007? It appears that Lync 2010 stilluses the Access Levels set previously for domains, but users do no longer have any possibility to make further updates,
and are stuck (from their perspective at least) with the settings made in 2007 before.
Thanks.

Lync 2010 doesn’t have the feature natively.
With Lync Server 2010, by default, the contacts from federated domains are added as External Contacts.
Lisa Zheng
TechNet Community Support

Security Manager/Access problem

(WWC-00000)
An unexpected error has occurred in portlet instances: wwpob_api_portlet_inst.create_inst (WWC-44846)
The following error occurred during the call to Web provider: java.lang.NullPointerException
at oracle.portal.provider.v2.security.URLSecurityManager.hasAccess(Unknown Source)
at oracle.portal.provider.v2.DefaultPortletDefinition.hasAccess(Unknown Source)
at oracle.portal.provider.v2.ProviderInstance.getPortletDefinition(Unknown Source)
at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.registerPortlet(Unknown Source)
at java.lang.reflect.Method.invoke(Native Method)
at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source)
at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source)
at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source)
at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source)
at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
(WWC-43147)
Removing the provider.xml security manager setting will do away with this problem.
Versions being used: Portal 9.0.2 and PDK september.

I have checked with PDK September samples related to Security Manager/Access and they are working fine. Please lets know for which PDK sample gives this error.

Can we add users to the 'Manage Access Request' field to process site access request in SharePoint Online?

Hi,
I have a requirement in which I have to assign couple of email ids to the "Manage Access Request" field to process site access requests. And, this is possible using server object model but I have to achieve this on SharePoint Online with the help
of CSOM.
There are two properties which control the access request configuration, first is "RequestAccessEnabled", a Boolean flag which turns on or off the access request feature for the site. The second property defines one or more email addresses where
requests will be sent to. It is named "RequestAccessEmail".
The above both properties are available for server object model but not for CSOM.
So, is there any other workaround or way to achieve the sane in CSOM?
Thanks,

I don't think there is a programmatic workaround for SharePoint Online. But the email address is just used for Notification. Anyone with Manage Permissions can approve Access Requests. If you create an email distribution list for the multiple
addresses that should be notified you should be able to add the email address for the distribution list into the Access request email field using the user interface.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.

VRF , Management access only and default gateway

Hello
I am preparing (3) new devices to become my new WAN. The topology looks like,
                 ASR1002x - Has management int and dg for remote access.
                                     Also has DG to WAN ISP via BGP
                 3750x stack - Has management int and dg for remote access. (ip vrf management 0.0.0.0 0.0.0.0 (Management vlan hsrp ip))
                                       Also has DG to ASR hsrp - which causes the Management access to drop.
                 ASA5545x - Has management int and dg for remote access.
                                      Also has DG to ASR hsrp - which causes the Management access to drop.
I MUST KEEP THESE NEW DEVICES OFF THE PRODUCTION NETWORK TO AVOID ANY POSSIBLE ROUTING ISSUES.
I have implemented unique EIGRP instances between the new devices.
These new devices have a management interface so I can access them remotely. I configured the default gateway pointing to the HSRP of the management Vlan and I have remote access.
Obviously I cannot have (2) default gateways out different interfaces, without assigning one with higher admin.
What should my management default gateway look like so I can have remote access to the device and still have the WAN/LAN routing work as needed??

found another thread with some suggestions, maybe it helps at the moment.
http://forums.lenovo.com/lnv/board/message?board.id=Special_Interest_Utilities&thread.id=6000

URGENT: Manage access rights on pdf document using Acrobat Javascrip

Hi everybody,
I have pdf document on my website, and I want to manage access right on those documents, some users has the right to print, save the document and others not,
So I'd like to know if it is possible to do it using Acrobat Javascript, and how I can do it if you have any exemple of script, document it will be very helpfull for me, I'm looking for that from two weeks already!!
Thx

Hi
I'm not shouting !! I wish I could find the answer some where then I'll not post my message, plz if you have some answer that you think that it will help me then tell me and I'll be thankfull, and if you don't have any useful answer then PLZ forbear and I'll be thankful too.

3524-XL w/GBIC Visual Switch Manager

I have a Cisco 3524-XL switch w/ 12.0(5)XU Enterprise Edition OS
Been using the Java-based Visual Switch Manager to manage it, no problems.
I added a 1000BaseT GBIC, and everything works mechanically and thru telnet, I can manage the switch. Everything works.
But now when I try to use the Visual Switch Manager, I get the following Java Error:
"Visual Switch Manager has detected a change in the devices hardware configuration and needs to redraw the device." I say ok, and it comes back again, and again, etc. The running config has been saved and rebooting does not help. Tried a coupla versions of Java(Sun's). Currently using 1.4.2_07
Any suggestions?

try upgrading the image of the switch, also run the latest Java plug in software. this should help.

Switch Management

Hey Folks,
There seems to be two schools of thought when it comes to switch management. From what I've read, two different approaches seem to be recommended. The first is to create a switch management VLAN, and trunk it to all the switches. The second is to create a loopback address, and distribute it via a IGP.
Any advantages or disadvantages? Which one do you use and why?
Thanks,
SM

Two approaches are two different kind of design. One is L2 VLAN separated the segment and one is L2 w/ individual NM segment.
What I suggest is to combine both designs that use separated VLAN w/ loopback address that dedicated for the NM traffic. The reason is at L2, it can separated the NM traffic from the production traffic, and for L3, you easily to observe the NM host by different subnet of the loopback address.
However, if there is WAN link that cannot carry VLAN traffic, then you have to use second approach in the WAN link.
And, if it is a L2 switch only, then you have to create a NM VLAN and assoicate the loopback address to this VLAN for NM.
Pease feel free to comment and discuss.
Hope this help.

Manage Access to Named Credentials via EMCLI

Hi Colleagues,
does anyone know how to manage access to Named Credentials via EMCLI or does anyone know if this function exist in EMCLI.
We want to configure the access via scripts, so that we can for example grant access for all database administrators to all named credentials.
I would be very pleased if anyone has a solution.
Thanks in advance!
Best regards,
Sönke

Hi,
Use the verb grant_privs to grant a user access to a named credential.
For example:
emcli grant_privs -name=MARY -privilege="GET_CREDENTIAL;CRED_NAME=HOST-CREDS:CRED_OWNER=SCOTT"
..grants the user MARY view privileges on the credentials called HOST-CREDS owned by SCOTT.
View privileges will allow Mary to use the credentials but will not allow her to see sensitive information such as the password.
Check out the security doc for more information on named credentials
http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#CJAHBADG
Other privileges you can grant to credentials are FULL_CREDENTIAL and EDIT_CREDENTIAL.
Check out the EMCLI reference guide for more details on grant_privs verb:
http://docs.oracle.com/cd/E24628_01/em.121/e17786/cli_verb_ref.htm#autoId186
Regards,
Ana

WRT610N Remote Management Access disabled and yet I could access??!

Hi,
I have the WRT610N, latest firmware (.10, early 2009). I noticed something when I accessed my FTP from work.
I used the IP address and the "folder" to see my files in a web browser (like 82.2.2.2/MyftpFolder).
But when I typed the IP only, I could see the router config page, despite the fact that I disabled it in "remote managment access"...
Anyone else have seen the same problem?
My ftp user is "admin" or I gave it all rights and access, by the way!

Hi,
I just had the same happen to me.
I have a WRT54GL and I connect to my Exchange server daily through Outlook Web Access. Today when I came to work I could'nt connect. I tried my domain to see if the default website was down also and to my horror ended up in the router management gui. This have never happened before, I have the router redirecting all port 80 traffic to my web server. And since I had disabled the remote access to the router I never changed the password so the door was wide open. I will contact Linksys about this because as far as I understand it's either a serious bug or I've been hacked.
wrt610nOWNER wrote:
Hm Thanks!
The "problem" was that I was at work when I noticed that and my router is at home...so when I typed my wan ip (82.2.2.2) I saw the GUI.
Nope I did not try to another computer either inside my LAN at home or from a WAN IP, as I have no more job, and no access elsewhere...
So I can not reproduce what I saw until I get an outside connection! I was just wondering if anyone else encountered the same.

Oracle Drive & Managing access right

I wonder if there's possible to manage access rights to others OID users or groups vi ODrive
?

There is an 'Advanced Properties' option in the right click menu that will launch a dialog that allows you to set security and manage metadata of documents, and allows you to set policies (versioning, metadata, workflow etc) and set the security of folders,
hoep that helps,
-sancho

Switch management access

Similar Messages

Maybe you are looking for