Home > Community > "Airheads Online (2004-2011)" Archive > ArubaOS and Controllers > Controller Management Security

ArubaOS and Controllers

Reply
Topic Options
KadeCole
Occasional Contributor II
KadeCole
Posts: 24
Registered: ‎04-03-2007

Controller Management Security
Options

‎11-03-2009 12:44 PM

In another thread I came across the following statement:



I was wondering if anyone knows how to turn OFF management for all IPs except one? In most network environments you only want to manage your network equipment from one IP or allow management from a range of IPs to that specific network device. Most other network vendors have the concept of an Access Control List for Management. Is this something that Aruba has thought about? Thanks.

1 person had this problem.
Alert a Moderator
Message 1 of 5 (913 Views)
0 Kudos
ahenson
Occasional Contributor II
ahenson
Posts: 44
Registered: ‎04-02-2007

Re: Controller Management Security
Options

‎11-03-2009 02:06 PM

Our (admittedly cumbersome) solution was to define every IP of every controller in a netdestination called "MGMT-IPs", then create an ACL restricting access to it, and applying that ACL to every user-role and every physical interface on the controller.

I'd very much like to see a "management" interface we can set an ACL on, like Cisco's vty's.
Alert a Moderator
Message 2 of 5 (891 Views)
0 Kudos
KadeCole
Occasional Contributor II
KadeCole
Posts: 24
Registered: ‎04-03-2007

Re: Controller Management Security
Options

‎11-03-2009 02:13 PM

I have come across the same solution but I agree that this is a must add feature and second your request.
Alert a Moderator
Message 3 of 5 (891 Views)
0 Kudos
Aruba Employee
turner
Posts: 64
Registered: ‎04-07-2007

Re: Controller Management Security
Options

‎11-04-2009 07:40 AM

I was just reviewing my security logs and came across ssh brute force attempts on a new vlan IP.

We had defined an ACL for mswitch but that points to the loopback and nothing else.

I third the request for an alias to all controller IPs or the ability to restrict management to a single IP.
Alert a Moderator
Message 4 of 5 (891 Views)
0 Kudos
MVP MVP
MVP
Ryan
Posts: 502
Registered: ‎04-03-2007

Rfe 1007
Options

‎11-17-2009 10:24 AM

We (OSU) submitted an RFE for service ACLs, which would be similar to your Linux "hosts.allow" files. Essentially, it'd be nice to simply say to what networks SSH/HTTPS is allowed without ever actually specifying destination IP addresses.

I suppose an all-encompassing built-in netdestination would do the same thing, too, though. Good suggestion!
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Alert a Moderator
Message 5 of 5 (891 Views)
0 Kudos
Search Airheads
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2017 Hewlett Packard Enterprise Development LP
Powered by Lithium