Попробовал написать правила для ограничения SSH, HTTPS, SNMP:
policy service HTTPS protocol 6 destination tcp port 443
policy service SSH protocol 6 destination tcp port 22
policy service SNMP protocol 17 destination udp port 161
policy service group MANAGEMENT_PROTOCOL HTTPS SSH
policy service group NMS_PROTOCOL SNMP
policy network group MANAGEMENT_TRUSTED xx.xx.xx.xx mask 255.255.255.240 zz.zz.zz.zz
policy network group SNMP_TRUSTED aa.aa.aa.aa bb.bb.bb.bb
policy condition TO-ME-MANAGEMENT-TRUSTED source network group MANAGEMENT_TRUSTED destination network group Switch service group MANAGEMENT_PROTOCOL
policy condition TO-ME-MANAGEMENT-BLOCK destination network group Switch service group MANAGEMENT_PROTOCOL
policy condition TO-ME-NMS-TRUSTED source network group SNMP_TRUSTED destination network group Switch service group NMS_PROTOCOL
policy condition TO-ME-NMS-BLOCK destination network group Switch service group NMS_PROTOCOL
policy action ACCEPT
policy action DROP disposition drop
policy rule RULE-TO-ME-MANAGEMENT-TRUSTED precedence 17003 condition TO-ME-MANAGEMENT-TRUSTED action ACCEPT
policy rule RULE-TO-ME-MANAGEMENT-BLOCK precedence 17000 condition TO-ME-MANAGEMENT-BLOCK action DROP log
policy rule RULE-TO-ME-NMS-TRUSTED precedence 16997 condition TO-ME-NMS-TRUSTED action ACCEPT
policy rule RULE-TO-ME-NMS-BLOCK precedence 16994 condition TO-ME-NMS-BLOCK action DROP log
qos apply
Поправьте, если где ошибся.
Вопрос: По умолчанию все, что не попадает под явные правила - пропускается?
Поясните смысл параметра "disposition" в policy action.
Спасибо.
Добрый день.
Добавлю вопрос: как можно на ALcatel 6850 ограничить доступ на его management (SSH, HTTPS) и SNMP с конкретных IP адресов?
(Как у Cisco "access-class" на "line vty 0 4" и "snmp-server community XXXXXXXXX RO 2")
Спасибо.
