Remote Access Control

Remote Access Control

1. Function Overview

This product lets you restrict access to the following applications that implement network services.

  • TELNET server

  • SSH server

  • HTTP server / HTTPS server

  • TFTP server

  • SNMP server

3. Function Details

The following four functions are provided to limit access to network services.

  • Control whether to leave the service in question running in the background on the system (start/stop control)

  • Change reception port number

  • Limit access destinations for services currently running

  • Limit the source IP addresses that can access services currently running

The following functions that correspond to each network service are shown in the table below.

  • Network service access control

    Network service Start/stop control Change reception port number Access destination restriction Access source restriction

    TELNET server

    Yes

    Yes

    Yes

    Yes

    SSH server

    Yes

    Yes

    Yes

    Yes

    HTTP server
    HTTPS server

    Yes

    Yes

    Yes

    Yes

    TFTP server

    Yes

    Yes

    Yes

    No

    SNMP server

    × (Always booted)

    × (Always 161)

    No

    Yes

    1. Multiple instances of a network service cannot be started.
      If the start control is applied to the same service that is currently running, the service will restart. Consequently, any connected sessions will be disconnected.

    2. Limiting access destinations for network services is done for the VLAN interface.

    3. Sources permitted to access network services can be restricted by specifying access source IP address and access permit/deny settings.

    4. The default settings for the network services are shown in the table below.

      Network service Start/stop status Reception port number Access destination restriction Access source restriction

      TELNET server

      run

      23

      Only default maintenance VLAN (VLAN #1) permitted

      Allow all

      SSH server

      stop

      22

      Only default maintenance VLAN (VLAN #1) permitted

      Allow all

      HTTP server

      run

      80

      Only default maintenance VLAN (VLAN #1) permitted

      Allow all

      HTTPS server

      stop

      443

      TFTP server

      stop

      69

      Only default maintenance VLAN (VLAN #1) permitted

      Allow all

      SNMP server

      run

      161

      Allow all

      Allow all

4. Related Commands

Related commands are indicated below.
For details, refer to the Command Reference.

Network service Operations Operating commands

Common

Maintenance VLAN

management interface

TELNET server

Start/stop

telnet-server

Change reception port number

telnet-server enable (use argument to specify port number)

Access control

telnet-server interface

IP address access control

telnet-server access

Show settings

show telnet-server

SSH server

Start/stop

ssh-server

Change reception port number

ssh-server enable (use argument to specify port number)

Access control

ssh-server interface

IP address access control

ssh-server access

Check whether client is alive

ssh-server client alive

Show settings

show ssh-server

Generate host key

ssh-server host key generate

Clear host key

clear ssh-server host key

Show public key

show ssh-server host key

HTTP server

Start/stop HTTP server

http-server

Change HTTP server’s reception port number

http-server enable (use argument to specify port number)

Start/stop HTTPS server

http-server secure

Change HTTPS server’s reception port number

http-server secure enable (use argument to specify port number)

Access control

http-server interface

IP address access control

http-server access

Show settings

show http-server

TFTP server

Start/stop

tftp-server

Access control

tftp-server interface

SNMP server

Access control by IP address and community name

snmp-server access

5. Examples of Command Execution

5.1. TELNET server access control

This example restricts access to the TELNET server.
Change the TELNET server’s reception port to 1024.
Change the maintenance VLAN to VLAN #1000 and allow access. Access from other than the maintenance VLAN is denied.
Connection to the TELNET server is allowed only by clients from 192.168.100.1.
If you specify telnet-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#telnet-server enable 1024 (1)
Yamaha(config)#management interface vlan1000 (2)
Yamaha(config)#telnet-server access permit 192.168.100.1 (3)
Yamaha(config)#end
Yamaha#show telnet-server (4)
Service:Enable
Port:1024
Management interface(vlan):1000
Interface(vlan):None
Access:
    permit 192.168.100.1
1 Change the reception port to 1024 and reboot the TELNET server
2 Allow access from VLAN #1000 as the maintenance VLAN
3 Allow access only from 192.168.100.1
4 Check the settings

5.2. SSH server access control

This example restricts access to the SSH server.
Generate the SSH server host key.
Register a user name and password.
Login from an SSH client is possible only for a registered user and password.
Change the SSH server’s reception port to 1024.
Change the maintenance VLAN to VLAN #1000 and permit access to VLAN #2.
Consequently, access is only permitted from VLAN #1000 and from VLAN #2 on the maintenance VLAN.
If you specify ssh-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha#ssh-server host key generate (1)
Yamaha#show ssh-server host key (2)
ssh-dss (Omitted)
ssh-rsa (Omitted)
Yamaha#
Yamaha#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Yamaha(config)#username user1 password pw1 (3)
Yamaha(config)#ssh-server enable 1024 (4)
Yamaha(config)#management interface vlan1000 (5)
Yamaha(config)#ssh-server interface vlan2 (6)
Yamaha(config)#end
Yamaha#show ssh-serverr (7)
Service:Enable
Port:1024
Hostkey:Generated
Client alive :Disable
Management interface(vlan):1000
Interface(vlan):2
Access:None
Yamaha#
1 Create a host key
2 Check contents of the key
3 Register a username and password.
4 Change the reception port to 1024 and reboot the SSH server
5 Allow access from #1000 as the maintenance VLAN
6 Allow access from VLAN #2
7 Check the settings

5.3. HTTP server access restrictions

This example restricts access to the HTTP server.
Change the HTTP server reception port to 8000 and permit access from VLAN #2.
That permits access only from the default maintenance VLANs VLAN #1 and VLAN #2.
Connection to the HTTP server is allowed only by clients from 192.168.100.1.
If you specify http-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#http-server enable 8000 (1)
Yamaha(config)#http-server interface vlan2 (2)
Yamaha(config)#http-server access permit 192.168.100.1 (3)
Yamaha(config)#end
Yamaha#show http-server (4)
HTTP :Enable(8000)
HTTPS:Disable
Management interface(vlan):1
Interface(vlan):2
Access:
    permit 192.168.100.1
1 Change the reception port to 8000 and reboot the HTTP server
2 Allow access from VLAN #2
3 Allow access only from 192.168.100.1
4 Check the settings

5.4. TFTP server access restrictions

This example restricts access to the TFTP server.
Change the TFTP server reception port to 2048 and permit access from VLAN #10.
Allow access only from the default maintenance VLANs VLAN #1 and VLAN #10.

Yamaha(config)#tftp-server enable 2048 (1)
Yamaha(config)#tftp-server interface vlan10 (2)
1 Change the reception port to 2048 and reboot the TFTP server
2 Allow access from VLAN #10

5.5. SNMP server access restrictions

This restricts access to the SNMP server.
Access to “public” communities is restricted to clients from 192.168.100.0/24.
In addition, access to “private” communities is restricted to clients from 192.168.100.1.

Yamaha(config)#snmp-server access permit 192.168.100.0/24 community public (1)
Yamaha(config)#snmp-server access permit 192.168.100.1 community private (2)
1 The community name “public” allows access only from 192.168.100.0/24
2 The community name “private” allows access only from 192.168.100.1

6. Points of Caution

If the password (admin) for the default administrative user admin is left unchanged, then the following restrictions are applied.

  • Network switches cannot be accessed by TELNET, SSH, HTTP, or HTTPS from a network segment other than the maintenance VLAN.

The following restrictions apply if a TFTP server is accessed from a TFTP client.

  • Access is denied if the privileged password (administrative password) is still set to the default setting. Privileged passwords (administrative passwords) must be changed in advance.

  • If the primary and secondary addresses for a VLAN being accessed are the same segment, then the IPv4 secondary address cannot be accessed.

  • If accessing the VLAN with an IPv6 address, then only the IPv6 address specified last can be accessed.
    Because the internal address is reset if the network switch is started, that means only the bottom IPv6 address listed in the order they were configured can be accessed.

  • Only the IP address of the VLAN with the closest routing to the TFTP client can be accessed.
    For example, a TFTP client located on VLAN 1 cannot access VLAN 2 IP addresses for the network switch.