Limiting access to SSH/SNMP/WEB?

Whats the best way to restrict access to the management interfaces to only a certain vlan or a certain subnet?

I saw authorized-manager in the CLI but can’t see if it’s an exclusive restriction once you set it or how it works… can i just put a subnet and the vlan for all the various services, and thats it it won’t be accessible via any other ips/vlans?

We can use the authorized-manager command to restrict access to the management – we can also choose which service to be allowed / restricted :

TX2028RFP-EC5EC0# conf t
TX2028RFP-EC5EC0(config)# authorized-manager ?

ip-source                           IP source related configuration

TX2028RFP-EC5EC0(config)# authorized-manager ip-source ?

<ip_addr>                           Network or host IP address

TX2028RFP-EC5EC0(config)# authorized-manager ip-source 10.2.109.0 ?

/                                   CIDR notation
<CR>                                Configures an IP authorized manager
<ip_mask>                           Subnet mask for the IP address
interface                           Interface related configuration
mgmt0                               Out of Band management interface
service                             Service type related configuration
vlan                                VLAN interface

Example for vlan 100, port gi 0/4 – subnet 100.0.0.0 / 24

TX2028RFP-EC5EC0(config)# authorized-manager ip-source 100.0.0.0 / 24  interface  gi 0/4 vlan 100 service https ssh ?

<CR>                                Configures an IP authorized manager
http                                HTTP service
snmp                                SNMP service
telnet                              Telnet service

TX2028RFP-EC5EC0(config)# authorized-manager ip-source 100.0.0.0 / 24  interface gi 0/4 vlan 100 service https ssh
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)#
TX2028RFP-EC5EC0(config)# do show authorized-managers

Ip Authorized Manager Table
---------------------------

Ip Address       : 100.0.0.0
Ip Mask          : 255.255.255.0
Services allowed : HTTPS, SSH
Ports allowed    : Gi0/4
On mgmt0         : Deny
Vlans allowed    : 100