Locking down Switch Access via OpenManage (M6220 & M6348)

I'm trying to lock down access to a PowerConnect M6348 and M8024 by IP only.  Can anyone help with this?  The user guide showed me how to create and apply profiles in management access, but that doesn't seem to work.  I just want some basic IP filter to only allow a few IPs to have access to openmanage on the switch.  Is this even possible?  Anytime I implement a policy, it doesn't work, I can still access the switch from any IP. 

Hi,

Can you post screenshots of how you have it configured? You could create an management ACL that permits only the IP addresses that you want. Page 556 downloads.dell.com/.../powerconnect-m6220_user%27s%20guide_en-us.pdf

I just need and example of the CLI process.  I've followed this so far:

www.dell.com/.../app_note_14.pdf

I only need https and ssh management access from a single IP.

I followed that guide because it had a clear proccess of how to get where I needed to be. But it is obviously outdated.

If you just want to allow a single IP create the management ACL and then permit ip-source xxx.xxx.xxx.xxx

That should allow only that IP for the management ACL

The example in the manual To configure the switch:

1 Create a management ACL and enter the configuration mode for the

ACL.

console#configure

console(config)#management access-list mgmt_ACL

2 Create a rule that allows access from hosts in the 10.27.65.0 network on

VLAN 1 and assign a priority of 1 to the rule.

console(config-macl)#permit ip-source 10.27.65.0

mask 255.255.255.0 vlan 1 priority 1

3 Create a rule that allows access from hosts in the 10.27.65.0 network on

connected to port 9 and assign a priority of 2 to the rule.

console(config-macl)#permit ip-source 10.27.65.0

mask 255.255.255.0 Gi1/0/9 priority 2

console(config-macl)#exit

4 Activate the ACL.

console(config)#management access-class mgmt_ACL

console(config)#exit

5 Verify the management ACL configuration.

console#show management access-list

mgmt_ACL

--------

permit ip-source 10.27.65.0 mask 255.255.255.0

vlan 1 priority 1

permit ip-source 10.27.65.0 mask 255.255.255.0

Gi1/0/9 priority 2

! (Note: all other access implicitly denied)

6 Verify that the configured management ACL is in use.

So when I am creating the permissions, do I need specify a port?

Also in the permissions, I want to restrict access to ssh and https only.  So do I need to specify each of those in a separate permission from the vlan permit?

So this is what I have done.  I've followed your instructions to the letter (other than permitting ssh and https and denying the rest).  However I can still login to the switch from any IP on the network.

You can use to specify ssh and https • service service — Indicates service type. Can be one of

the following: telnet, ssh, http, https, tftp, snmp, sntp, or

any.

Did you apply the management access list to vlan 1?

I did not. How do I do that? Also, I have 2 other VLANS.  So Will I have to create ACLs for those as well?

Just a follow up! For those who may look at this. My problem was management traffic being routed through the out-of-band port. Once I rerouted through my VLAN, macls worked.  My subnet mask also had to be limited to a specific host (255.255.255.255) in order to restrict access to a single IP.

Great to hear that you were able to get it resolved.