Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

ip authorized-managers on the CX

This thread has been viewed 155 times

  • 1.  ip authorized-managers on the CX

    Posted Oct 24, 2019 12:26 PM

    is there an equivalent command to the Switch ip authorized-managers to secure the mgmt interface on the OS-CX,

     

    We are using the Loopback for mgmt as well and routing, so would need IP connectivity, but not SSH, HTTPS etc etc.

     

     

     



  • 2.  RE: ip authorized-managers on the CX
    Best Answer

    EMPLOYEE
    Posted Oct 24, 2019 12:59 PM

    Yes, this is ACL applied to the control-plane:

    Create your ACL using permit/deny (be specific so you can have a permit any any any at the end) and apply the ACL to the control-plane in the proper VRF.

    Example:

    apply access-list ip ACL-name control-plane vrf mgmt



  • 3.  RE: ip authorized-managers on the CX

    Posted Aug 02, 2020 11:08 AM

    Hi,

     

    I have the same problem

    I want to allow specific addresses to access SNMP (ro+rw) & SSH

    like the commands in aruba-os - 2930f for example:

    ip authorized-managers 192.168.1.10 access-method ssh

    ip authorized-managers 192.168.2.10 access-method access operator

    ip authorized-managers 192.168.2.11 access-method access manager

    I use only one VRF (the default)

     

    How can i do it?

     

     



  • 4.  RE: ip authorized-managers on the CX

    EMPLOYEE
    Posted Oct 26, 2020 05:06 PM

    Control plane acl may be used in default vrf, this link will help you

    https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Restrict-Management-Access-Aruba-OS-CX/ta-p/674390



  • 5.  RE: ip authorized-managers on the CX

    Posted Oct 29, 2020 06:04 PM
    Here is the ACL I'm using for this:

    access-list ip AUTHORIZED-MANAGERS
    10 comment JUMP STATION
    10 permit any 192.168.1.10 any
    20 comment IT MANAGER
    20 permit any 192.168.1.11 any
    30 comment NETWORK ADMIN
    30 permit any 192.168.1.12 any
    40 comment AIRWAVE SERVER
    40 permit any 192.168.1.13 any

    Apply it to the control plane with these commands:

    apply access-list ip AUTHORIZED-MANAGERS control-plane vrf default
    apply access-list ip AUTHORIZED-MANAGERS control-plane vrf mgmt

    ------------------------------
    Timothy Leadbetter
    ------------------------------

    Original Message


  • 6.  RE: ip authorized-managers on the CX

    Posted Mar 06, 2021 05:16 AM
    Few observations and questions:

    The "apply access-list ip AUTHORIZED-MANAGERS control-plane vrf default" command is not visible in the running config. It is working but it is not there. Am I missing something?  

    If I have "deny any any any" (Implicit deny) on the bottom of the ACL, does it block any system traffic too or it just allows/deny access to USER protocol like SSH/SNMP etc

    Can I apply more than 1 ACL for this purpose e.g. one ACL for SNMP and another for SSH to keep things more structured and separated?

    ------------------------------
    Manjeet Chawla
    ------------------------------

    Original Message


  • 7.  RE: ip authorized-managers on the CX

    EMPLOYEE
    Posted Mar 08, 2021 04:18 AM
    I've just re-tested it, the apply access-list command appears in the running configuration.
    Could you please check again (may be by using: "show run | inc apply") ?

    This ACL will be process for any packet hittting the CPU on the given VRF.
    So it will block or permit (depending on the ACL entries) the traffic to the management & control plane of the switch.
    (routing protocols should be permitted in ACL for instance, unless the control-plane ACL is used in a VRF where static routing is enough).
    You can use only one ACL, and multiple ACL entries should allow you to construct your enforcement.

    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 8.  RE: ip authorized-managers on the CX

    Posted Mar 08, 2022 09:31 AM

    @Jorge Calvi unforutnatly I´m not allowed to view that blog post :(

    I´ don`t know what`s the cause of the issue... maybe there`s another option you can provide that information you´ve linked to?​


    Original Message


  • 9.  RE: ip authorized-managers on the CX

    Posted Apr 29, 2021 01:35 AM
    This can be a dangerous solution as it will be applied to all control-plane traffic passing the VRF. We have an in-band management in default VRF and this affected our DHCP requests re-transmissions. Even TAC support warned us that you should apply control-plane ACL only if you now completely what type of traffic is passing the switch and how it does that.

    ------------------------------
    Igor Aliyev
    ------------------------------

    Original Message


  • 10.  RE: ip authorized-managers on the CX

    EMPLOYEE
    Posted Apr 30, 2021 05:44 AM
    If you consider the implicit deny any any any at the end, this can be prevent traffic that you want to allow.
    However, a conservative and safe approach is to be very specific on what to deny, and make sure there is a explicit permit any any any at the end.
    Please note that in 10.7, AOS_CX provides now ACL capability for SNMP.

    ------------------------------
    Vincent Giles
    ------------------------------

    Original Message


  • 11.  RE: ip authorized-managers on the CX

    Posted Jul 28, 2022 02:15 AM
    I was able to create the following ACL to restrict access to the management of the switch.

    access-list ip AUTHORIZED-MANAGERS
    10 comment IT DIRECTOR
    10 permit any {IP ADDRESS} any
    20 comment IT SYSTEMS ADMIN
    20 permit any {IP ADDRESS} any
    30 permit any {IP ADDRESS} any
    40 permit any {IP ADDRESS} any
    50 permit any {IP ADDRESS} any
    60 permit any {IP ADDRESS} any
    70 deny any any {MANAGEMENT IP ADDRESS OF THE SWITCH}
    80 permit any any any
    Original Message