Wireless Access

Reply
Contributor I
Posts: 37
Registered: ‎06-17-2011

Management Interface ACL

[ Edited ]

Hi,

 

I like to have a management interface ACL feature as before. Can anybody have that idea? Is there  a possibility to be implemented in near future?

 

Like HP;

   ip authorized-managers 10.0.0.1 access manager

 

or lots of any other vendors.

 

Thanks in advance.

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Management Interface ACL

You could apply an ip access-group to the interface going to your uplink switch allowing only the ip segment you want allow to access the controller
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 37
Registered: ‎06-17-2011

Re: Management Interface ACL

Yes. This method also recommended elsewhere but it has some difficulties. It is more reasonable to add just one line solution. Even *nix has this feature, hosts.allow/deny. Why aruba does not have? 

 

 

Best regards.

 

Husnu Demir.

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Management Interface ACL

Can you please provide the sample configuration for the same ?
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Contributor I
Posts: 37
Registered: ‎06-17-2011

Re: Management Interface ACL

Here is the tip of Aruba.

 

http://community.arubanetworks.com/t5/Community-Knowledge-Base/How-to-Allow-or-Block-Management-of-the-Aruba-Controller-only/ta-p/27494

 

Neverthless, aruba engineers did not respond this req for a long time.

 

hdemir.

 

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Management Interface ACL

Thanks
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Re: Management Interface ACL

[ Edited ]

We are currently using such an ACL.  

 

 

However it creates difficulties and problems.

 

Any time a new interface is added to the controller, it should be added to the ACL also.

 

Furthermore adding the ACL to the uplink port is not enough. It  should be added to all active interfaces and roles such as wireless or vpn roles.

 

Last but not the least important problem is; the requirement for firewall licence. Such ACL is only possible if he controler has firewall licence. It is not a good idea to need firewall licence just to protect the device itself, in situations where firewall for the users is not required.

 

 

 

Contributor I
Posts: 37
Registered: ‎06-17-2011

Re: Management Interface ACL

Yes, I forget to tell the firewall licence. If you need to protect the controller, which is a MUST, you sould buy the firewall licence even if you did not need any firewall for users.

 

hdemir.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: