Wired Intelligent Edge

 View Only
Expand all | Collapse all

ACL to allow ssh from specific subnet

This thread has been viewed 52 times
  • 1.  ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 11:06 AM

    Hi!

    We have Aruba 2540 and 2930. I have created ACL on the switches but I dont know where I can apply those as Aruba doesnt have line vty. 

    How can we secure Management traffic to allow ssh from IT subnet?

    Thanks



    ------------------------------
    Sajid Mumtaz
    ------------------------------


  • 2.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 11:12 AM
    Hi, first thing first...you should know that you just don't apply ACLs generically on "switches".

    You must apply them exactly on the routing device (I guess it could be the Aruba 2930 in your scenario)...this way, with them, you can manage (segregate) the inter-VLANs routing.





  • 3.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 11:26 AM

    Hi!

    I agree that ACL are not applied on Switches. I am just doing ssh thing. There is management VLAN on Switches. The switches are connected to Core router but management VLAN exist on Switch with IP address so I have to allow only specific subnet to do ssh on that switch.

    I dont have Firewall for this purpose.

    Thanks



    ------------------------------
    Sajid Mumtaz
    ------------------------------



  • 4.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 04:57 PM
    Edited by parnassus Dec 19, 2020 05:31 PM

    "There is management VLAN on Switches. The switches are connected to Core router but management VLAN exist on Switch with IP address so I have to allow only specific subnet to do ssh on that switch."

    Understood your desire.

    The question indeed is: what is the network device that has the role of routing your "VLAN dedicated to switch management"?

    is the "Core router"?

    If so, exactly there the ACLs should be applied to control traffic between that very VLAN and all others VLANs subject of routing (on downlinked switches the "VLAN dedicated to switch management" is just "transported" - let me use this term - and, as said, on those switches ACL definitions are unnecessary).

    So before trying to understand what ACLs to apply (and how to apply them) it's really essential to understand where those ACLs must be applied.

    P.S.

    With "management VLAN" are you meaning a VLAN id SET AS THE Management (so that VLAN id is not routed) or just A VLAN id not set as "Management" but just used as a generic VLAN id just dedicated to switch management in your network?


    ------------------------------
    Davide Poletto
    ------------------------------



  • 5.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 05:11 PM

    Hi!

    So we have two tier network with Core and Distribution. Distribution is also acting as Access layer.

    On Core ee have HP FlexFabric with SVI.

    vlan 10

    ip address 10.1.1.1/24

    All Aruba switches on distribution have ip default-gateway command pointing to 10.1.1.1

    Aruba switch:

    Vlan 10

    ip address 10.1.1.2/24

    Ip default-gateway 10.1.1.1/24



    ------------------------------
    Sajid Mumtaz
    ------------------------------



  • 6.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 05:35 PM
    Edited by parnassus Dec 19, 2020 05:54 PM

    Perfect, so it's a matter to configure ACL on that HP FlexFabric (which owns the SVIs, Aruba Switches are not in the picture).
    ------------------------------
    Davide Poletto
    ------------------------------



  • 7.  RE: ACL to allow ssh from specific subnet

    Posted Dec 19, 2020 05:40 PM

    Ok Thanks. 

    We have HP Flexfabric 5700.

    Can you please point me to documentation or any site with contain this information?

    Do want to lose the access to switch in case of issue :)



    ------------------------------
    Sajid Mumtaz
    ------------------------------



  • 8.  RE: ACL to allow ssh from specific subnet
    Best Answer

    Posted Dec 20, 2020 12:01 PM
    Edited by capricorn80 Dec 20, 2020 03:38 PM

    Absolutely.

    The latest HPE FlexFabric 5700 Switch Series ACL and QoS Configuration Guide was published on 27-11-2017 and it was related to Comware OS v7 software release R243x.

    It shouldn't be too tricky to setup depending on what type of segregation you want to achieve (uni/bi-directional, protocols, etc.) and how many VLANs in total you want to govern.

    I suggest you to open a thread on the HPE Community - Networking - Comware based sub-forum page here describing what you want to achieve.



    ------------------------------
    Davide Poletto
    ------------------------------



  • 9.  RE: ACL to allow ssh from specific subnet

    Posted Dec 20, 2020 03:38 PM

    Thanks for your help.



    ------------------------------
    Sajid Mumtaz
    ------------------------------



  • 10.  RE: ACL to allow ssh from specific subnet

    Posted Dec 21, 2020 05:18 AM

    I think what you are looking for is the Authorized Manager IP feature. Check the Access Security Guide for your switch:

    (more in the guide)



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------