Restricted Management Access on Instant 4.0

Aruba Employee

Advantages of the Restricted Management Access feature on Instant 4.0 

  1. Ability to restrict management access (SSH, Telnet and Web UI ) from selected subnets or hosts.
  2. When configured, management access is only allowed from configured subnets/hosts and denied from all other subnets/hosts.
  3. When no subnet/host is configured, access is allowed from all IPs/subnets – same as existing behavior.
  4. Does not affect management access from directly connected clients (wired or wireless clients on master IAP).

How the feature works:-
The feature works by blocking management access to all AP-owned IPs using the uplink ACL (ACL 106).
On master AP, port 22, 23 and 4343 are denied to the following IPs from all subnets except the ones explicitly allowed. 
  • Physical interface IP
  • Virtual Controller IP
  • Magic VLAN gateway IP
  • L3/NAT mode gateway IP
  • VPN Tunnel IP
On slave APs, port 22, 23 and 4343 is denied to the slave APs physical IP.

WEBUI configuration:-






CLI configuration:-

Configuration CLI --> restricted-mgmt-access 
Show CLI > “show summary” includes information about configured restricted management subnets
6c:f3:7f:c3:67:4a (config) # restricted-mgmt-access
6c:f3:7f:c3:67:4a (config) # end
6c:f3:7f:c3:67:4a# commit apply
committing configuration...
configuration committed.
6c:f3:7f:c3:67:4a# show summary | begin "Restricted Management Access"
Restricted Management Access Subnets
Subnet IP Address  Subnet Mask
-----------------  ----------- 

ACL hits for example
rtaImage (1).jpg



Debug packet dump to troubleshoot


Version history
Revision #:
1 of 1
Last update:
‎06-27-2014 03:02 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: