Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

AOS-CX Access-list (Or policy + class) not restricting SSH access

This thread has been viewed 4 times
  • 1.  AOS-CX Access-list (Or policy + class) not restricting SSH access

    Posted Sep 20, 2022 12:52 PM

    Greetings.

    To keep things simple - I'm trying to create an ACL (or class + policy) to keep SSH access towards an Aruba switch limited to a single IP address.

    I have 2 hosts: 172.23.0.1 and 172.23.10.1 (network is 172.23.0.0/16)

    Everything on VLAN 1.

    Aruba switch has a static IP address of 172.23.255.253 on interface VLAN 1. Active-gateway is 172.23.255.254. (Keep testing to a single of the VSX pair).

    If I create this class/policy  combination:

    class ip restrict-ssh
      10 ignore any 172.23.0.1 any count
      20 match tcp any 172.23.255.253 any count
      30 match tcp any 172.23.255.254 any count
    !

    policy drop-policy
      10 class ip restrict-ssh action drop
    !
    vlan 1
      apply policy drop-policy in
    int vlan 1
      apply policy drop-policy routed-in
    !

    Showing the hit counters will have rule 10 in the class for all traffic - even sourced from the 172.23.10.1 address - what am I doing wrong?

    I've also tried making rule 10 this to no avail:

    10 ignore tcp 172.23.0.1 eq 22 count

    Rules 20/30 never get any hit counters - shouldn't an SSH attempt from 172.23.10.1 -> 172.23.255.253/254 get a hit on lines 20/30?

    I'm super confused. I have the same issues with using an access-list instead of class/policy for what its worth.

    If I want to lock down SSH on an aruba switch to a single host - what is the best method to go about doing so? Any advice is appreciated. SSH keys is not preferred due to design of the network in question - the "single host" has the ability to have multiple slots which contain different instances of Linux (each with different SSH keys, and they may be reinstalled often, so the SSH key list could grow indefinitely potentially)




  • 2.  RE: AOS-CX Access-list (Or policy + class) not restricting SSH access

    EMPLOYEE
    Posted Sep 21, 2022 09:07 AM
    Check the AOS-CX Hardening Guide, more specific on the topic Control Plane ACLs. That is more suitable than VLAN or interface ACLs for this purpose.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------