Community Tribal Knowledge Base

How to Allow or Block Management of the Aruba Controller only from Specific Subnets

Guru Elite Guru Elite
Guru Elite

This Knowledgebase Article tells you how to allow management traffic to the controller ONLY from specific subnets.

 

For now there is no specific feature allowing you to define what subnets or ip addresses can manage the Aruba Controller.  The method below can help accomplish the same thing.

 

HINT:  Before doing this, please obtain a console cable for your Aruba Controller, in case you make a mistake and lock yourself out of the management interface over ip.

 

Procedure:

 

1.  Create an "alias" or netdestination that defines what subnets you want to allow management traffic from

2.  Write rules allowing TCP 4343 traffic and SSH traffic from those subnets to the controller's IP address

3.  Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.

4.  Add an Allow all traffic acl at the end of the rule

5.  Apply it to the controller's uplink interface

 

In the example below, we allow management traffic from 192.168.1.0 255.255.255.0 to the controller's ip address at 192.168.1.3 and drop if from everywhere else.  If you want to expand where you want management traffic allowed from, you can just edit the Alias/Netdestination "management-subnet" later.

 

 

config t

netdestination management-subnet

network 192.168.1.0 255.255.255.0

!

ip access-list session "Controller-Access"
alias "management-subnet"  host 192.168.1.3 tcp 4343 4343 permit queue low
any host 192.168.1.3 tcp 4343 4343 deny queue low
alias "management-subnet"  host 192.168.1.3 "svc-ssh" permit queue low
any host 192.168.1.3 "svc-ssh" deny queue low
any any any permit queue low
!
interface gigabitethernet 1/0
ip access-group "Controller-Access" session

 

You can type "show acl hits" to see how many times the rule "Controller-Access" is used.

 

If you get locked out of the controller's management interface, plug your console cable in and type:

 

config t

interface gigabitethernet 1/0
no ip access-group "Controller-Access" session

 

You can always see what traffic is being allowed or denied to the controller address by typing:

 

show datapath session table <ip address of controller>


Version history
Revision #:
1 of 1
Last update:
‎02-23-2012 03:43 AM
Updated by:
 
Labels (2)
Contributors
Tags (2)
Comments

 If you try this on a vlan interface you get "Invalid Access List Usage"

What's the method for a vlan interface? Not always appropriate to do this for a physical interface

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: