Remote Access Control
Remote Access Control
1. Function Overview
This product lets you restrict access to the following applications that implement network services.
-
TELNET server
-
SSH server
-
HTTP server / HTTPS server
-
TFTP server
-
SNMP server
3. Function Details
The following four functions are provided to limit access to network services.
-
Control whether to leave the service in question running in the background on the system (start/stop control)
-
Change reception port number
-
Limit access destinations for services currently running
-
Limit the source IP addresses that can access services currently running
The following functions that correspond to each network service are shown in the table below.
-
Network service access control
Network service Start/stop control Change reception port number Access destination restriction Access source restriction TELNET server
Yes
Yes
Yes
Yes
SSH server
Yes
Yes
Yes
Yes
HTTP server
HTTPS serverYes
Yes
Yes
Yes
TFTP server
Yes
Yes
Yes
No
SNMP server
× (Always booted)
× (Always 161)
No
Yes
-
Multiple instances of a network service cannot be started.
If the start control is applied to the same service that is currently running, the service will restart. Consequently, any connected sessions will be disconnected. -
Limiting access destinations for network services is done for the VLAN interface.
-
Sources permitted to access network services can be restricted by specifying access source IP address and access permit/deny settings.
-
The default settings for the network services are shown in the table below.
Network service Start/stop status Reception port number Access destination restriction Access source restriction TELNET server
run
23
Only default maintenance VLAN (VLAN #1) permitted
Allow all
SSH server
stop
22
Only default maintenance VLAN (VLAN #1) permitted
Allow all
HTTP server
run
80
Only default maintenance VLAN (VLAN #1) permitted
Allow all
HTTPS server
stop
443
TFTP server
stop
69
Only default maintenance VLAN (VLAN #1) permitted
Allow all
SNMP server
run
161
Allow all
Allow all
-
4. Related Commands
Related commands are indicated below.
For details, refer to the Command Reference.
Network service | Operations | Operating commands |
---|---|---|
Common |
Maintenance VLAN |
management interface |
TELNET server |
Start/stop |
telnet-server |
Change reception port number |
telnet-server enable (use argument to specify port number) |
|
Access control |
telnet-server interface |
|
IP address access control |
telnet-server access |
|
Show settings |
show telnet-server |
|
SSH server |
Start/stop |
ssh-server |
Change reception port number |
ssh-server enable (use argument to specify port number) |
|
Access control |
ssh-server interface |
|
IP address access control |
ssh-server access |
|
Check whether client is alive |
ssh-server client alive |
|
Show settings |
show ssh-server |
|
Generate host key |
ssh-server host key generate |
|
Clear host key |
clear ssh-server host key |
|
Show public key |
show ssh-server host key |
|
HTTP server |
Start/stop HTTP server |
http-server |
Change HTTP server’s reception port number |
http-server enable (use argument to specify port number) |
|
Start/stop HTTPS server |
http-server secure |
|
Change HTTPS server’s reception port number |
http-server secure enable (use argument to specify port number) |
|
Access control |
http-server interface |
|
IP address access control |
http-server access |
|
Show settings |
show http-server |
|
TFTP server |
Start/stop |
tftp-server |
Access control |
tftp-server interface |
|
SNMP server |
Access control by IP address and community name |
snmp-server access |
5. Examples of Command Execution
5.1. TELNET server access control
This example restricts access to the TELNET server.
Change the TELNET server’s reception port to 1024.
Change the maintenance VLAN to VLAN #1000 and allow access. Access from other than the maintenance VLAN is denied.
Connection to the TELNET server is allowed only by clients from 192.168.100.1.
If you specify telnet-server access, access from IP addresses that do not meet the conditions is denied.
Yamaha(config)#telnet-server enable 1024 (1) Yamaha(config)#management interface vlan1000 (2) Yamaha(config)#telnet-server access permit 192.168.100.1 (3) Yamaha(config)#end Yamaha#show telnet-server (4) Service:Enable Port:1024 Management interface(vlan):1000 Interface(vlan):None Access: permit 192.168.100.1
1 | Change the reception port to 1024 and reboot the TELNET server |
2 | Allow access from VLAN #1000 as the maintenance VLAN |
3 | Allow access only from 192.168.100.1 |
4 | Check the settings |
5.2. SSH server access control
This example restricts access to the SSH server.
Generate the SSH server host key.
Register a user name and password.
Login from an SSH client is possible only for a registered user and password.
Change the SSH server’s reception port to 1024.
Change the maintenance VLAN to VLAN #1000 and permit access to VLAN #2.
Consequently, access is only permitted from VLAN #1000 and from VLAN #2 on the maintenance VLAN.
If you specify ssh-server access, access from IP addresses that do not meet the conditions is denied.
Yamaha#ssh-server host key generate (1) Yamaha#show ssh-server host key (2) ssh-dss (Omitted) ssh-rsa (Omitted) Yamaha# Yamaha#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Yamaha(config)#username user1 password pw1 (3) Yamaha(config)#ssh-server enable 1024 (4) Yamaha(config)#management interface vlan1000 (5) Yamaha(config)#ssh-server interface vlan2 (6) Yamaha(config)#end Yamaha#show ssh-serverr (7) Service:Enable Port:1024 Hostkey:Generated Client alive :Disable Management interface(vlan):1000 Interface(vlan):2 Access:None Yamaha#
1 | Create a host key |
2 | Check contents of the key |
3 | Register a username and password. |
4 | Change the reception port to 1024 and reboot the SSH server |
5 | Allow access from #1000 as the maintenance VLAN |
6 | Allow access from VLAN #2 |
7 | Check the settings |
5.3. HTTP server access restrictions
This example restricts access to the HTTP server.
Change the HTTP server reception port to 8000 and permit access from VLAN #2.
That permits access only from the default maintenance VLANs VLAN #1 and VLAN #2.
Connection to the HTTP server is allowed only by clients from 192.168.100.1.
If you specify http-server access, access from IP addresses that do not meet the conditions is denied.
Yamaha(config)#http-server enable 8000 (1) Yamaha(config)#http-server interface vlan2 (2) Yamaha(config)#http-server access permit 192.168.100.1 (3) Yamaha(config)#end Yamaha#show http-server (4) HTTP :Enable(8000) HTTPS:Disable Management interface(vlan):1 Interface(vlan):2 Access: permit 192.168.100.1
1 | Change the reception port to 8000 and reboot the HTTP server |
2 | Allow access from VLAN #2 |
3 | Allow access only from 192.168.100.1 |
4 | Check the settings |
5.4. TFTP server access restrictions
This example restricts access to the TFTP server.
Change the TFTP server reception port to 2048 and permit access from VLAN #10.
Allow access only from the default maintenance VLANs VLAN #1 and VLAN #10.
Yamaha(config)#tftp-server enable 2048 (1) Yamaha(config)#tftp-server interface vlan10 (2)
1 | Change the reception port to 2048 and reboot the TFTP server |
2 | Allow access from VLAN #10 |
5.5. SNMP server access restrictions
This restricts access to the SNMP server.
Access to “public” communities is restricted to clients from 192.168.100.0/24.
In addition, access to “private” communities is restricted to clients from 192.168.100.1.
Yamaha(config)#snmp-server access permit 192.168.100.0/24 community public (1) Yamaha(config)#snmp-server access permit 192.168.100.1 community private (2)
1 | The community name “public” allows access only from 192.168.100.0/24 |
2 | The community name “private” allows access only from 192.168.100.1 |
6. Points of Caution
If the password (admin) for the default administrative user admin is left unchanged, then the following restrictions are applied.
-
Network switches cannot be accessed by TELNET, SSH, HTTP, or HTTPS from a network segment other than the maintenance VLAN.
The following restrictions apply if a TFTP server is accessed from a TFTP client.
-
Access is denied if the privileged password (administrative password) is still set to the default setting. Privileged passwords (administrative passwords) must be changed in advance.
-
If the primary and secondary addresses for a VLAN being accessed are the same segment, then the IPv4 secondary address cannot be accessed.
-
If accessing the VLAN with an IPv6 address, then only the IPv6 address specified last can be accessed.
Because the internal address is reset if the network switch is started, that means only the bottom IPv6 address listed in the order they were configured can be accessed. -
Only the IP address of the VLAN with the closest routing to the TFTP client can be accessed.
For example, a TFTP client located on VLAN 1 cannot access VLAN 2 IP addresses for the network switch.