Restricted Management Access on Instant 4.0

Aruba Employee
Aruba Employee

Advantages of the Restricted Management Access feature on Instant 4.0 

  1. Ability to restrict management access (SSH, Telnet and Web UI ) from selected subnets or hosts.
  2. When configured, management access is only allowed from configured subnets/hosts and denied from all other subnets/hosts.
  3. When no subnet/host is configured, access is allowed from all IPs/subnets – same as existing behavior.
  4. Does not affect management access from directly connected clients (wired or wireless clients on master IAP).

How the feature works:-
The feature works by blocking management access to all AP-owned IPs using the uplink ACL (ACL 106).
On master AP, port 22, 23 and 4343 are denied to the following IPs from all subnets except the ones explicitly allowed. 
  • Physical interface IP
  • Virtual Controller IP
  • Magic VLAN gateway IP
  • L3/NAT mode gateway IP
  • VPN Tunnel IP
On slave APs, port 22, 23 and 4343 is denied to the slave APs physical IP.

WEBUI configuration:-






CLI configuration:-

Configuration CLI --> restricted-mgmt-access 
Show CLI > “show summary” includes information about configured restricted management subnets
6c:f3:7f:c3:67:4a (config) # restricted-mgmt-access
6c:f3:7f:c3:67:4a (config) # end
6c:f3:7f:c3:67:4a# commit apply
committing configuration...
configuration committed.
6c:f3:7f:c3:67:4a# show summary | begin "Restricted Management Access"
Restricted Management Access Subnets
Subnet IP Address  Subnet Mask
-----------------  ----------- 

ACL hits for example
rtaImage (1).jpg



Debug packet dump to troubleshoot


Version history
Revision #:
1 of 1
Last update:
‎06-27-2014 03:02 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: