Campus Switching and Routing

Reply
Contributor II

ACLs on Mobility Access Switches (MAS)

Hi!

 

I'm testing the MAS out here and getting stuck on what seems to be a pretty simple task, to put an ACL on incoming traffic of the switch to secure it. The switch has a VLAN interface with DHCP-client that gets an IP from my ISP. On the inside I have two client VLANs with open AAA profiles to put them in a role with a session ACL of allowall and NAT internet traffic out the uplink interface.

 

So the way I see it there's a couple of different ways to do this. I could either apply an extended ACL to the physical port that uplinks to the ISP or on the RVI that gets the DHCP address from the ISP. Either way I apply it (ingress on physical port for example) it messes up my connectivity from the clients to the internet. Shouldn't the session ACL on the role take care of return traffic?

 

My goal:

To allow only IKE and SSH to the public IP of the switch. Deny rest.

Maybe port forward something to the inside like an FTP server.

Allow all from my internal clients to the internet.

 

Any tips on how to accomplish this on the MAS?

 

Thanx,

Chris

Guru Elite

Re: ACLs on Mobility Access Switches (MAS)

Do you have bidirectional ACL entries? These are stateless ACLs. Here's an example of a management access ACL applied to the routed VLANs feeding the stack.

 

ip access-list stateless MANAGEMENT-SSH-ACL-STATELESS-B
  alias NET-MGT-IP-B   alias SWITCH-IPS-B any  permit
  alias SWITCH-IPS-B   alias NET-MGT-IP-B any  permit
  alias DHCP-SERVERS-DEST-B   alias SWITCH-IPS-B svc-dhcp  permit
  any   alias SWITCH-IPS-B any  deny
  any any any  permit
!

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ACLs on Mobility Access Switches (MAS)

Hi!

 

Thank you for your quick reply, it made me understand abit more about how the ACL works on the VLAN interface. Allthough I don't think I'll be able to use an alias for the switch IP since it'll be dynamically assigned. Is there a way to make the alias dynamic?

 

I tried writing it without using the alias for the switch but then I get stuck on the deny rule:

 

ip access-list stateless UPLINK
   alias MGMT-NETS any any permit
   any any svc-dhcp permit
   any alias MGMT-NETS any permit
   any alias SWITCH? any deny
   any any any permit
!

 

The scenario is to be able to deploy this switch on a dynamically assigned IP from ISP and still protect it from the big bad internet. It'll be building IPSEC VPN to a centrally placed mobility controller.

 

Any ideas?

Guru Elite

Re: ACLs on Mobility Access Switches (MAS)

That's a great question. I haven't been presented with that situation (yet) so I'm not sure. We'll have to wait for Madani to chime in :)

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ACLs on Mobility Access Switches (MAS)

Ok, thank you for your help :) (finally on my new account, yay)

 

Best regards,

Chris

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP

Re: ACLs on Mobility Access Switches (MAS)

Anyone have any ideas on this? It's quite an important issue if you want to be able to place the MAS directly facing the internet.

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP
Aruba

Re: ACLs on Mobility Access Switches (MAS)

Chris,

Port ACLs (PACLs) and Router ACLs (RACLs) get applied in hardware prior to hitting software engine which handles session ACLs. Here is a simple configuration disabling inbound access to a number of services running in the MAS but then allow all other traffic in to be handled by the software engine.

 

!
netservice svc-snmp udp 161
!
ip access-list stateless BLOCK-EXTERNAL
  any any svc-dhcp  permit
# Allow inbound DHCP
  host 54.225.97.119 any svc-ssh permit
# Allow SSH from 54.255.97.119 (Aruba as an example. This would be your headend site where you would SSH from)
  any any svc-ssh  deny
# Block all other SSH traffic coming to port 22
  any any svc-ftp  deny
# Block FTP traffic to the switch due to a bug in AOS 7.3.1.0 and below where FTP port will be open
  any any svc-snmp  deny
# Block SNMP traffic to the switch
  any any svc-ntp  deny
# Block NTP requests to the switch
  any any any  permit
# Allow all other traffic which will then go to the software engine
!
web-server
   no mgmt-ui-ports
# Closes ports 80, 443 and 4343, effectively disabling the Web-UI
   no captive-portal-ports
# Closes ports 8080, 8081 and 8088 effectively disabling captive portal functionality
# If captive portal is needed, re-enable and add these ports to the 'BLOCK-EXTERNAL' ACL
!
interface-profile switching-profile "VLAN1"
!
interface-profile mstp-profile "PORTFAST"
   portfast
!
vlan "1"
   description "PUBLIC"
!
interface vlan "1"
   session-processing
   ip address dhcp-client
   ip access-group in "BLOCK-EXTERNAL"
!
interface gigabitethernet "0/0/23"
   mstp-profile "PORTFAST"
   switching-profile "VLAN1"
!

Re: ACLs on Mobility Access Switches (MAS)

Thank you madjaliThat worked out just the way I wanted to. :smileyhappy:

 

Another question I have is if it's possible to port forward services from the dynamic extarnal IP to a server on the inside. Say for example they use an FTP server that registers with DynDNS and they would like to port forward FTP ports to that server from the external interface. Is this possible?

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP
Aruba

Re: ACLs on Mobility Access Switches (MAS)

Chris,

That is not possible today since we need session ACL support to handle the destination NAT. We are working on providing that solution in a forthcoming software release. I would recommend reaching out to your Aruba Partner or Aruba SE and we can provide more details on the roadmap and future capabilites we have planned.

 

Best regards,

 

Madani

Re: ACLs on Mobility Access Switches (MAS)

Thank you for your quick answer! Have a nice day :)

 

Chris

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: