Defining authorized management stations

  • Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized managers feature. For more on this topic, see Configuring one station per Authorized manager IP entry.

  • Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch from a defined group of stations. This is useful if you want to easily authorize several stations to have access to the switch without having to type in an entry for every station. All stations in the group defined by the one Authorized manager IP table entry and its associated IP mask will have the same access level—manager or operator. For more on this topic, see Configuring multiple stations per Authorized manager IP entry.

To configure the switch for authorized manager access, enter the appropriate Authorized manager IP value, specify an IP Mask, and select either manager or operator for the Access Level. The IP Mask determines how the Authorized manager IP value is used to allow or deny access to the switch by a management station.


[NOTE: ]

NOTE: If the management VLAN is configured, access can only be on that VLAN.


Overview of IP mask operation

The default IP Mask is 255.255.255.255 and allows switch access only to a station having an IP address that is identical to the Authorized manager IP parameter value. ("255" in an octet of the mask means that only the exact value in the corresponding octet of the Authorized manager IP parameter is allowed in the IP address of an authorized management station.) However, you can alter the mask and the Authorized manager IP parameter to specify ranges of authorized IP addresses. For example, a mask of 255.255.255.0 and any value for the Authorized manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts). A mask of 255.255.255.252 uses the 4th octet of a given Authorized manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under Configuring one station per Authorized manager IP entry.


[NOTE: ]

NOTE: The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.


Viewing and configuring IP Authorized managers (Menu)

Only IPv4 is supported when using the menu to set the management access method.

From the console Main Menu, select:

2. Switch Configuration...

6. IP Authorized managers

Add an authorized manager entry

Add an authorized manager entry

Edit menu for authorized IP managers

Edit menu for authorized IP managers

Editing or deleting an Authorized manager entry (Menu)

Go to the IP managers List screen Add an authorized manager entry, highlight the desired entry, and press [E] (for Edit) or [D] (for Delete).

Viewing and configuring IP Authorized managers (CLI)

Listing the switch’s current IP Authorized manager(s)

Use the show ip authorized-managers command to list IP stations authorized to access the switch. For example:

The show authorized-managers command with access method configured

HP Switch(config)# show ip authorized-manager

IPV4 Authorized managers
------------------------

 Address : 10.10.10.10
 Mask    : 255.255.255.255
 Access  : manager

Configuring IP Authorized managers for the switch (CLI)

See the IPv6 Configuration Guide for information about Authorized IP manager configuration with IPv6 addresses.

Syntax:

[no]ip authorized-managers <ip-address> <ip-mask>> access [manager|operator]

access-method [all|ssh|telnet|web|snmp|tftp]

[no]ipv6 authorized-managers <ip-address> <ip-mask> access [manager|operator]

access-method [all|ssh|telnet|web|snmp|tftp]

Configures one or more authorized IP addresses.

access [manager|operator]

Configures the privilege level for <ip-address>. Applies only to access through telnet, SSH, SNMPv1, SNMPv2c, and SNMPv3.

Default: manager

access-method [all|ssh|telnet|web|snmp|tftp]

Configures access levels by access method and IP address. Each management method can have its own set of authorized managers.

Default: all

Configuring IP authorized manager access method SSH

HP Switch(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager
                  access-method ssh

To authorize manager access

This command authorizes manager-level access for any station with an IP address of 10.28.227.0 through 10.28.227.255:

HP Switch(config)# ip authorized-managers 10.28.227.101
255.255.255.0 access manager

Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103:

HP Switch(config)# ip authorized-managers 10.28.227.101
255.255.255.252 access manager

If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either manager or operator access, the switch assigns the manager access.

To edit an existing manager access entry

To change the mask or access level for an existing entry, use the entry’s IP address and enter the new value(s). (Notice that any parameters not included in the command will be set to their default.):

HP Switch(config)# ip authorized-managers
10.28.227.101 255.255.255.0 access operator

The above command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.0 and operator.

The following command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.255 and manager (the defaults) because the command does not specify either of these parameters.

HP Switch(config)# ip authorized-managers 10.28.227.101

To delete an authorized manager entry

This command uses the IP address of the authorized manager you want to delete:

HP Switch(config)# no ip authorized-managers
10.28.227.101