Remote Access Control
Remote Access Control
1. Function Overview
This product lets you restrict access to the following applications that implement network services.
-
TELNET server
-
HTTP server / secure HTTP server
-
TFTP server
-
SNMP server
3. Function Details
The following three functions are provided to limit access to network services.
-
Control whether to leave the service in question running in the background on the system (start/stop control)
-
Change reception port number
-
Limit the source IP addresses that can access services currently running
The following functions that correspond to each network service are shown in the table below.
-
Network service access control
Network service Start/stop control Change reception port number Access source restriction TELNET server
Yes
Yes
Yes
HTTP server
× (Always booted)
Yes
Yes
Secure HTTP server
Yes
Yes
Yes
TFTP server
Yes
Yes
Yes
SNMP server
× (Always booted)
× (Always 161)
Yes
-
Multiple instances of a network service cannot be started.
If the start control is applied to the same service that is currently running, the service will restart. Consequently, any connected sessions will be disconnected. -
When restricting access to network services, you can specify the source IP address (*1) and whether to allow or deny access (*2).
(*1)…SNMP servers also allow you to specify the community name or user name of the access destination
(*2)…SNMP servers only allow you to specify the access permission conditions. -
The default settings for the network services are shown in the table below.
Network service Start/stop status Reception port number Access source restriction TELNET server
run
23
Allow all
HTTP server
run
80
Allow all
Secure HTTP server
run
443
TFTP server
stop
69
Allow all
SNMP server
run
161
Allow all
-
4. Related Commands
Related commands are indicated below.
For details, refer to the Command Reference.
Network service | Operations | Operating commands |
---|---|---|
TELNET server |
Start/stop and change reception port number |
telnet-server enable (use argument to specify port number) |
IP address access control |
telnet-server access |
|
Show settings |
show telnet-server |
|
HTTP server |
Change HTTP server’s reception port number |
http-server enable (use argument to specify port number) |
Start/stop secure HTTP server and change reception port number |
http-server secure enable (use argument to specify port number) |
|
IP address access control |
http-server access |
|
Show settings |
show http-server |
|
TFTP server |
Start/stop and change reception port number |
tftp-server enable (use argument to specify port number) |
IP address access control |
tftp-server access |
|
SNMP server |
Access control by IP address and community name or user name |
snmp-server access |
5. Examples of Command Execution
5.1. TELNET server access control
This example restricts access to the TELNET server.
Change the TELNET server’s reception port to 1024.
Connection to the TELNET server is allowed only by clients from 192.168.100.1.
If you specify telnet-server access, access from IP addresses that do not meet the conditions is denied.
Yamaha(config)#telnet-server enable 1024 (1) Yamaha(config)#telnet-server access permit 192.168.100.1 (2) Yamaha(config)#end Yamaha#show telnet-server (3) Service:Enable Port:1024 Access: permit 192.168.100.1
1 | Change the reception port to 1024 and reboot the TELNET server |
2 | Allow access only from 192.168.100.1 |
3 | Check the settings |
5.2. HTTP server access restrictions
This example restricts access to the HTTP server.
Change the HTTP server’s reception port to 8000 and the secure HTTP server’s reception port to 9000.
Connection to the HTTP server is allowed only by clients from 192.168.100.1.
If you specify http-server access, access from IP addresses that do not meet the conditions is denied.
Yamaha(config)#http-server enable 8000 (1) Yamaha(config)#http-server secure enable 9000 (2) Yamaha(config)#http-server access permit 192.168.100.1 (3) Yamaha(config)#end Yamaha#show http-server (4) HTTP :Enable(8000) HTTPS:Enable(9000) Access: permit 192.168.100.1
1 | Change the reception port to 8000 and reboot the HTTP server |
2 | Change the reception port to 9000 and reboot the secure HTTP server |
3 | Allow access only from 192.168.100.1 |
4 | Check the settings |
5.3. TFTP server access restrictions
This example restricts access to the TFTP server.
Change the TFTP server’s reception port to 2048.
Connection to the TFTP server is allowed only by clients from 192.168.100.1.
Yamaha(config)#tftp-server enable 2048 (1) Yamaha(config)#tftp-server access permit 192.168.100.1 (2)
1 | Change the reception port to 2048 and reboot the TFTP server |
2 | Allow access only from 192.168.100.1 |
5.4. SNMP server access restrictions
This restricts access to the SNMP server.
Access to “public” communities is restricted to clients from 192.168.100.0/24.
In addition, access to “private” communities is restricted to clients from 192.168.100.1.
Yamaha(config)#snmp-server access permit 192.168.100.0/24 community public (1) Yamaha(config)#snmp-server access permit 192.168.100.1 community private (2)
1 | The community name “public” allows access only from 192.168.100.0/24 |
2 | The community name “private” allows access only from 192.168.100.1 |
Access to the SNMP server is restricted to clients with username “user1” from 192.168.100.0/24.
Yamaha(config)#snmp-server access permit 192.168.100.0/24 user user1 (1)
1 | Allow access only from 192.168.100.0/24 and the username “user1” |
6. Points of Caution
If you change the IPv4/IPv6 address settings, all settings related to restrictions on access source IP address will be reset.
Use particular caution when changing the IPv4/IPv6 address settings.