Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

How to deny management access to 620 controller without firewall license?

Jump to Best Answer
  • 1.  How to deny management access to 620 controller without firewall license?

    Posted Feb 03, 2015 08:24 AM

    Hello!

     

    How to deny management access to 620 controller without firewall license?

    I want to management access only from few IP-addresses.

     

    Thank you!



  • 2.  RE: How to deny management access to 620 controller without firewall license?

    Posted Feb 03, 2015 08:26 AM
    Use an extended ACL on the uplink. 


    Thanks, 
    Tim


  • 3.  RE: How to deny management access to 620 controller without firewall license?
    Best Answer

    Posted Feb 03, 2015 10:10 AM

    opali@muk.ua wrote:

    Hello!

     

    How to deny management access to 620 controller without firewall license?

    I want to management access only from few IP-addresses.

     

    Thank you!


    opali@mul.ua,

     

    You can use the firewall whitelist under Configuration> Advanced Services> Stateful Firewall> ACL whitelist.  The ACL whitelist is a list of management traffic that is allowed to hit the controller.  The controller is managed using https on TCP 4343, so if I wanted to block web management traffic from the 192.168.1.0 network, I would click on ADD and do this:

    acl-deny.png

    acl2.png

     

    Protocol Number 6 is TCP and of course port 4343 is the web management traffic.  If you click on Done then Apply, it will block web traffic.  YOU SHOULD BE VERY CAREFUL WITH THIS, OR MAKE SURE YOU ARE NEAR THE CONTROLLER WITH A CONSOLE CABLE JUST IN CASE YOU MAKE A MISTAKE THAT WILL LOCK YOU OUT OF THE MANAGEMENT WEB PAGE.

     

    I locked myself out of the management web page using this example, so I had to SSH into the controller and remove the ACL that I created like this:

     

    config t
    firewall cp no ipv4 deny 192.168.1.0 255.255.255.0 proto "6" ports 4343 4343