Wired Intelligent Edge

 View Only
last person joined: 13 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Aruba 6300 SSH access restriction

This thread has been viewed 49 times

  • 1.  Aruba 6300 SSH access restriction

    Posted Nov 29, 2021 11:05 AM
    Hi

    I have Aruba 6300m Switch and I want to configure SSH restriction for specific IP only, I have searched in the configuration guide but I couldn't find anything for this.

    is there any way to restrict SSH access?

    Thanks

    ------------------------------
    Qais Sherfeed
    ------------------------------


  • 2.  RE: Aruba 6300 SSH access restriction

    EMPLOYEE
    Posted Nov 29, 2021 05:04 PM
    yes you need to configure a control plane ACL to restrict ssh, https access to our AOS-CX switches.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Aruba 6300 SSH access restriction

    Posted Nov 30, 2021 05:06 AM
    Thanks, Ariyap
    it's clear

    ------------------------------
    Qais Sherfeed
    ------------------------------

    Original Message


  • 4.  RE: Aruba 6300 SSH access restriction

    EMPLOYEE
    Posted Nov 30, 2021 03:05 AM
    Hi Qais,

    yes, ariyap is correct - you can use the control plane ACL. I was searching for an example a few days ago and here is a guide for you:

    https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/AOS-CX_10-07_hardening.pdf

    Please refer to page 10, section "Control plane ACLs".

    ------------------------------
    Stanislav Naydenov
    ------------------------------

    Original Message


  • 5.  RE: Aruba 6300 SSH access restriction

    Posted Nov 30, 2021 05:08 AM
    Thanks, Stanislav 
     that's what I was looking for 

    thank you

    ------------------------------
    Qais Sherfeed
    ------------------------------

    Original Message


  • 6.  RE: Aruba 6300 SSH access restriction
    Best Answer

    Posted Nov 30, 2021 04:22 AM
    Hi, this is my template for hardenning aruba CX swicth : 

    banner motd !
*******************************************************************************
*                           RESTRICTED ACCES                                  *
*******************************************************************************
!
password complexity
    enable
    history-count 5
    minimum-length 10
    position-changes 5
    lowercase-count 2
    uppercase-count 2
    special-char-count 2
    numeric-count 2
!
user admin group administrators password plaintext Y0urH@rdP@$$!
no ip icmp redirect
no cdp enable
cli-session
    timeout 15
! Disable aruba central if not used :
aruba-central
    disable
!
! SSH HARDENNING - disable weak algo :
ssh server vrf default
no ssh server vrf mgmt
ssh ciphers chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com
ssh host-key-algorithms ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 rsa-sha2-256 rsa-sha2-512
ssh key-exchange-algorithms curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256
ssh macs hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
!
! RESTRICT ACCESS TO SWITCH :
access-list ip acl-ControlPlane
    comment *** NETEDIT ***
    permit tcp 10.X.X.X any eq 22
    permit tcp 10.X.X.X any eq 443
    permit udp 10.X.X.X any eq 161
    comment *** SSH ADMIN ***
    permit tcp 10.X.X.X/255.255.255.0 any eq 22
    comment *** HTTPS admin ***
    permit tcp 10.X.X.X any eq 443
    comment *** SNMP ***
    permit udp 10.X.X.X/255.255.255.0 any eq 161
    comment *** LOGGING ***
    permit udp any 10.X.X.X eq 514
    comment *** NTP ***                                    
    permit udp any 10.X.X.X eq 123
    comment *** DENY ***
    deny tcp any any eq 22
    deny tcp any any eq 443
    deny tcp any any eq 80
    deny udp any any eq 123
    deny udp any any eq 514
    deny udp any any eq 161
    comment *** PERMIT OTHER ***
    permit any any any log count
apply access-list ip acl-ControlPlane control-plane vrf default
!
ip source-interface all interface vlan1
!
https-server rest access-mode read-only
https-server vrf default
no https-server vrf mgmt​


    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------

    Original Message


  • 7.  RE: Aruba 6300 SSH access restriction

    Posted Nov 30, 2021 05:10 AM
    Thanks, Whitehawk29FR

    You made it easier

    Thank you

    ------------------------------
    Qais Sherfeed
    ------------------------------

    Original Message


  • 8.  RE: Aruba 6300 SSH access restriction

    EMPLOYEE
    Posted Nov 30, 2021 04:28 PM
    and you can always refer to the CX hardening guide
    https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/AOS-CX_10-07_hardening.pdf

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message