Wired Intelligent Edge

 View Only
last person joined: 3 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Howto: Restrict Control Protocols to Trusted Hosts only in CX

This thread has been viewed 28 times
  • 1.  Howto: Restrict Control Protocols to Trusted Hosts only in CX

    Posted Sep 07, 2020 05:48 AM

    Question
    How do you restrict ssh to only trusted hosts in CX?
    Like "ip authorized-managers" in AOS-S/ProCurve, or "ip access-class" in Cisco.

     

    Answer
    Use Control Plane ACLs.

     

    These have been available in CX since 10.2, and allow both IP and IPv6 hosts and networks to access the control plane.


    You can find the relevant manual for your switch with this search:

    ACLs and Classifier Policies Guide 

     

    Create the Access Control List (ACL)

    This is broken into 3 sections:

    • permit specific items (host or subnets) for designated port types
    • block those specific port types for everything else
    • override the implicit deny with an explicit allow (this is the catch-all to prevent inadvertently blocking important protocols or elements - like dhcp-relay)
    access-list ip authorized-managers
        10 permit tcp 172.20.100.0/255.255.255.0 any eq 22
        10 comment Allows BV-main access to switch
        11 permit tcp 172.20.100.0/255.255.255.0 any eq 443
        12 permit udp 172.20.100.0/255.255.255.0 any eq 161 count
        20 permit tcp 172.25.100.0/255.255.255.0 any eq 22
        20 comment Allows WGA-main access to switch
        21 permit tcp 172.25.100.0/255.255.255.0 any eq 443
        30 permit tcp 172.20.27.0/255.255.255.0 any eq 22
        30 comment Allows BVsubnet27 access to switch
        31 permit tcp 172.20.27.0/255.255.255.0 any eq 443
        100 deny tcp any any eq 22 count
        100 comment block key management protocols from any other subnet
        101 deny tcp any any eq 443 count
        102 deny udp any any eq 161 count
        103 deny tcp any any eq 80 count
        200 permit any any any count
        200 comment allow everything else

     

    Apply the ACL

    apply access-list ip authorized-managers control-plane vrf default

     

    Counters
    Counters help to identify what rules are permitting or denying traffic; they are enabled per rule (ACE).

    CPACL counts.png

     

    I was able to successfully block access from SSH, HTTP/HTTPS (and later SNMP, although that is not shown in the count here).

     

    Note the 1718 hits for other things. That will include NTP. I also had issues with DHCP-relay before I reorganised it as described.

     

    If you don't include the "count" parameter in an access-list, nothing will be displayed:

    CPACL count not enabled.png

     



  • 2.  RE: Howto: Restrict Control Protocols to Trusted Hosts only in CX

    Posted Apr 11, 2022 09:51 AM
    Does this work when using Aruba Central, or might something, "break"?

    ------------------------------
    jcornford@nodeone.co.uk jcornford@nodeone.co.uk
    ------------------------------



  • 3.  RE: Howto: Restrict Control Protocols to Trusted Hosts only in CX

    Posted Apr 20, 2022 08:14 PM
    Doesn't appear to break anything, and console from Central works. I added the config above to the same 6300 which is now in Central.

    bvcore-6300# sh access-list hitcounts control-plane vrf default
    Statistics for ACL authorized-managers (ipv4):
    vrf default (control-plane):
         Matched Packets  Configuration
                       -  10 permit tcp 172.20.100.0/255.255.255.0 any eq ssh
                       -  11 permit tcp 172.20.100.0/255.255.255.0 any eq https
                      43  12 permit udp 172.20.100.185 any eq snmp count
                       -  20 permit tcp 172.25.100.0/255.255.255.0 any eq ssh
                       -  21 permit tcp 172.25.100.0/255.255.255.0 any eq https
                       -  30 permit tcp 172.20.27.0/255.255.255.0 any eq ssh
                       -  31 permit tcp 172.20.27.0/255.255.255.0 any eq https
                       0  100 deny tcp any any eq ssh count
                       0  101 deny tcp any any eq https count
                       0  102 deny udp any any eq snmp count
                       0  103 deny tcp any any eq http count
                    6083  200 permit any any any count
                       0  implicit deny any any any count
    ​

    FYI, for AOSS and authorized-managers, I used to add 127.0.0.1 for console access from Central

    ------------------------------
    Richard Litchfield
    Airheads MVP 2020, 2021, 2022
    ------------------------------