Check the
AOS-CX Hardening Guide, more specific on the topic Control Plane ACLs. That is more suitable than VLAN or interface ACLs for this purpose.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 19, 2022 03:24 PM
From: Karl Witthuhn
Subject: AOS-CX Access-list (Or policy + class) not restricting SSH access
Greetings.
To keep things simple - I'm trying to create an ACL (or class + policy) to keep SSH access towards an Aruba switch limited to a single IP address.
I have 2 hosts: 172.23.0.1 and 172.23.10.1 (network is 172.23.0.0/16)
Everything on VLAN 1.
Aruba switch has a static IP address of 172.23.255.253 on interface VLAN 1. Active-gateway is 172.23.255.254. (Keep testing to a single of the VSX pair).
If I create this class/policy combination:
class ip restrict-ssh
10 ignore any 172.23.0.1 any count
20 match tcp any 172.23.255.253 any count
30 match tcp any 172.23.255.254 any count
!
policy drop-policy
10 class ip restrict-ssh action drop
!
vlan 1
apply policy drop-policy in
int vlan 1
apply policy drop-policy routed-in
!
Showing the hit counters will have rule 10 in the class for all traffic - even sourced from the 172.23.10.1 address - what am I doing wrong?
I've also tried making rule 10 this to no avail:
10 ignore tcp 172.23.0.1 eq 22 count
Rules 20/30 never get any hit counters - shouldn't an SSH attempt from 172.23.10.1 -> 172.23.255.253/254 get a hit on lines 20/30?
I'm super confused. I have the same issues with using an access-list instead of class/policy for what its worth.
If I want to lock down SSH on an aruba switch to a single host - what is the best method to go about doing so? Any advice is appreciated. SSH keys is not preferred due to design of the network in question - the "single host" has the ability to have multiple slots which contain different instances of Linux (each with different SSH keys, and they may be reinstalled often, so the SSH key list could grow indefinitely potentially)