Remote Access Control

Remote Access Control

1. Function Overview

This product lets you restrict access to the following applications that implement network services.

  • TELNET server

  • HTTP server / secure HTTP server

  • TFTP server

  • SNMP server

3. Function Details

The following three functions are provided to limit access to network services.

  • Control whether to leave the service in question running in the background on the system (start/stop control)

  • Change reception port number

  • Limit the source IP addresses that can access services currently running

The following functions that correspond to each network service are shown in the table below.

  • Network service access control

    Network service Start/stop control Change reception port number Access source restriction

    TELNET server

    Yes

    Yes

    Yes

    HTTP server

    × (Always booted)

    Yes

    Yes

    Secure HTTP server

    Yes

    Yes

    Yes

    TFTP server

    Yes

    Yes

    Yes

    SNMP server

    × (Always booted)

    × (Always 161)

    Yes

    1. Multiple instances of a network service cannot be started.
      If the start control is applied to the same service that is currently running, the service will restart. Consequently, any connected sessions will be disconnected.

    2. When restricting access to network services, you can specify the source IP address (*1) and whether to allow or deny access (*2).
      (*1)…​SNMP servers also allow you to specify the community name or user name of the access destination
      (*2)…​SNMP servers only allow you to specify the access permission conditions.

    3. The default settings for the network services are shown in the table below.

      Network service Start/stop status Reception port number Access source restriction

      TELNET server

      run

      23

      Allow all

      HTTP server

      run

      80

      Allow all

      Secure HTTP server

      run

      443

      TFTP server

      stop

      69

      Allow all

      SNMP server

      run

      161

      Allow all

4. Related Commands

Related commands are indicated below.
For details, refer to the Command Reference.

Network service Operations Operating commands

TELNET server

Start/stop and change reception port number

telnet-server enable (use argument to specify port number)

IP address access control

telnet-server access

Show settings

show telnet-server

HTTP server

Change HTTP server’s reception port number

http-server enable (use argument to specify port number)

Start/stop secure HTTP server and change reception port number

http-server secure enable (use argument to specify port number)

IP address access control

http-server access

Show settings

show http-server

TFTP server

Start/stop and change reception port number

tftp-server enable (use argument to specify port number)

IP address access control

tftp-server access

SNMP server

Access control by IP address and community name or user name

snmp-server access

5. Examples of Command Execution

5.1. TELNET server access control

This example restricts access to the TELNET server.
Change the TELNET server’s reception port to 1024.
Connection to the TELNET server is allowed only by clients from 192.168.100.1.
If you specify telnet-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#telnet-server enable 1024 (1)
Yamaha(config)#telnet-server access permit 192.168.100.1 (2)
Yamaha(config)#end
Yamaha#show telnet-server (3)
Service:Enable
Port:1024
Access:
    permit 192.168.100.1
1 Change the reception port to 1024 and reboot the TELNET server
2 Allow access only from 192.168.100.1
3 Check the settings

5.2. HTTP server access restrictions

This example restricts access to the HTTP server.
Change the HTTP server’s reception port to 8000 and the secure HTTP server’s reception port to 9000.
Connection to the HTTP server is allowed only by clients from 192.168.100.1.
If you specify http-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#http-server enable 8000 (1)
Yamaha(config)#http-server secure enable 9000 (2)
Yamaha(config)#http-server access permit 192.168.100.1 (3)
Yamaha(config)#end
Yamaha#show http-server (4)
HTTP :Enable(8000)
HTTPS:Enable(9000)
Access:
    permit 192.168.100.1
1 Change the reception port to 8000 and reboot the HTTP server
2 Change the reception port to 9000 and reboot the secure HTTP server
3 Allow access only from 192.168.100.1
4 Check the settings

5.3. TFTP server access restrictions

This example restricts access to the TFTP server.
Change the TFTP server’s reception port to 2048.
Connection to the TFTP server is allowed only by clients from 192.168.100.1.

Yamaha(config)#tftp-server enable 2048 (1)
Yamaha(config)#tftp-server access permit 192.168.100.1 (2)
1 Change the reception port to 2048 and reboot the TFTP server
2 Allow access only from 192.168.100.1

5.4. SNMP server access restrictions

This restricts access to the SNMP server.
Access to “public” communities is restricted to clients from 192.168.100.0/24.
In addition, access to “private” communities is restricted to clients from 192.168.100.1.

Yamaha(config)#snmp-server access permit 192.168.100.0/24 community public (1)
Yamaha(config)#snmp-server access permit 192.168.100.1 community private (2)
1 The community name “public” allows access only from 192.168.100.0/24
2 The community name “private” allows access only from 192.168.100.1

Access to the SNMP server is restricted to clients with username “user1” from 192.168.100.0/24.

Yamaha(config)#snmp-server access permit 192.168.100.0/24 user user1 (1)
1 Allow access only from 192.168.100.0/24 and the username “user1”

6. Points of Caution

If you change the IPv4/IPv6 address settings, all settings related to restrictions on access source IP address will be reset.
Use particular caution when changing the IPv4/IPv6 address settings.