Wireless Access

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Limit SNMP & SSH Access

Is there a way to limit SNMP & SSH access via ACL or other method?  Ex: limit SNMP reads from NPM server or SSH access only from management subnet.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Limit SNMP & SSH Access

Hey CompNerd... Sure you can do this via ACL Policy.  There are different ways to do this.


Are you thinking of WLAN users trying to access things they shouldn't ?  That's the user case I typically see / get asked to protect against.    


Here is an example to block SSH and SNMP from Guest Network.  This methodology you can always employ(regardless of AOS version...aka. most versatile) is shown below.  

 

You can restrict access to any user role based upon creating a 'net-destination' and loading in the 'sensitive' interfaces that you don't want users(of any particular flavor) to access.


JF

 

Example to limit GUEST users from using SSH and SNMP to interfaces 10.10.10.2, and 10.10.20.2

 

!

netdestination CONTROLLER-INTERFACES

  host 10.10.10.2

  host 10.10.20.2

!

ip access-list session CONTROLLER-INTERFACES

  user alias CONTROLLER-INTERFACES tcp 22 deny

  user alias CONTROLLER-INTERFACES udp 161 deny

!

user-role GUEST

  access-list session CONTROLLER-INTERFACES position 1

!

 

Alternatively, you can also block on the port by port basis as well, instead of roles... let me know if you want an example of that approach.


JF

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Limit SNMP & SSH Access

JF,

 

Thanks for the suggestion.  However, role based access wouldn't stop the majority of our users that are on non-Aruba switches from connecting to the MAS.  With role based access I could keep anyone directly connected to the switch from hitting SSH/SNMP, but it wouldn't work for upstream users.

 

Strictly talking about blocking upstream users, I think my only option is to create an ACL and apply it to the uplink port(s) connecting the MAS to the core.  The MAS I'm deploying has only one SVI, for management purposes.  Earlier, I thought I could just add an ACL to the SVI to limit access, but it doesn't appear as though that's possible.

 

So is adding an ACL to the uplinks the only way I can block remote IPs from connecting to SSH/SNMP?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Limit SNMP & SSH Access

Thecompnerd,

We currently only support ACLs on user-roles and physical interfaces (PACLs). So yes, adding an ACL to the uplinks is currently the only way to block remote IPs from connecting to SSH/SNMP.

 

Best regards,

 

Madani

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Limit SNMP & SSH Access

That is what we do. We put an ACL on the 2 port-channels to the distribution layer allowing access only from our management IP space.

 

port-channel-acl1.PNG

 

switchmgmtacls.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Limit SNMP & SSH Access

Thanks for the confirmation and example.  I will move forward with creating an ACL and applying it to our uplink port channel.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Limit SNMP & SSH Access

Good stuff.

 

PACL was going to be my next example... go to it ;-)

 

Good luck.

 

JF

Search Airheads
Showing results for 
Search instead for 
Did you mean: