Skip to main content

Manage the IP addresses that can access the SP

Contributors netapp-aherbin
PDFs

By default, the SP accepts SSH connection requests from administration hosts of any IP addresses. You can configure the SP to accept SSH connection requests from only the administration hosts that have the IP addresses you specify. The changes you make apply to SSH access to the SP of any nodes in the cluster.

Steps

  1. Grant SP access to only the IP addresses you specify by using the system service-processor ssh add-allowed-addresses command with the -allowed-addresses parameter.

    • The value of the -allowed-addresses parameter must be specified in the format of address/netmask, and multiple address/netmask pairs must be separated by commas, for example, 10.98.150.10/24, fd20:8b1e:b255:c09b::/64.

      Setting the -allowed-addresses parameter to 0.0.0.0/0, ::/0 enables all IP addresses to access the SP (the default).

    • When you change the default by limiting SP access to only the IP addresses you specify, ONTAP prompts you to confirm that you want the specified IP addresses to replace the “allow all” default setting (0.0.0.0/0, ::/0).

    • The system service-processor ssh show command displays the IP addresses that can access the SP.

  2. If you want to block a specified IP address from accessing the SP, use the system service-processor ssh remove-allowed-addresses command with the -allowed-addresses parameter.

    If you block all IP addresses from accessing the SP, the SP becomes inaccessible from any administration hosts.

Examples of managing the IP addresses that can access the SP

The following examples show the default setting for SSH access to the SP, change the default by limiting SP access to only the specified IP addresses, remove the specified IP addresses from the access list, and then restore SP access for all IP addresses:

cluster1::> system service-processor ssh show
  Allowed Addresses: 0.0.0.0/0, ::/0

cluster1::> system service-processor ssh add-allowed-addresses -allowed-addresses 192.168.1.202/24, 192.168.10.201/24

Warning: The default "allow all" setting (0.0.0.0/0, ::/0) will be replaced
         with your changes. Do you want to continue? {y|n}: y

cluster1::> system service-processor ssh show
  Allowed Addresses: 192.168.1.202/24, 192.168.10.201/24

cluster1::> system service-processor ssh remove-allowed-addresses -allowed-addresses 192.168.1.202/24, 192.168.10.201/24

Warning: If all IP addresses are removed from the allowed address list, all IP
         addresses will be denied access. To restore the "allow all" default,
         use the "system service-processor ssh add-allowed-addresses
         -allowed-addresses 0.0.0.0/0, ::/0" command. Do you want to continue?
          {y|n}: y

cluster1::> system service-processor ssh show
  Allowed Addresses: -

cluster1::> system service-processor ssh add-allowed-addresses -allowed-addresses 0.0.0.0/0, ::/0

cluster1::> system service-processor ssh show
  Allowed Addresses: 0.0.0.0/0, ::/0