Thanks for your help.
Original Message:
Sent: Dec 20, 2020 12:00 PM
From: Davide Poletto
Subject: ACL to allow ssh from specific subnet
Absolutely.
The latest HPE FlexFabric 5700 Switch Series ACL and QoS Configuration Guide was published on 27-11-2017 and it was related to Comware OS v7 software release R243x.
It shouldn't be too tricky to setup depending on what type of segregation you want to achieve (uni/bi-directional, protocols, etc.) and how many VLANs in total you want to govern.
I suggest you to open a thread on the HPE Community - Networking - Comware based sub-forum page here describing what you want to achieve.
------------------------------
Davide Poletto
Original Message:
Sent: Dec 19, 2020 05:40 PM
From: Sajid Mumtaz
Subject: ACL to allow ssh from specific subnet
Ok Thanks.
We have HP Flexfabric 5700.
Can you please point me to documentation or any site with contain this information?
Do want to lose the access to switch in case of issue :)
------------------------------
Sajid Mumtaz
Original Message:
Sent: Dec 19, 2020 05:35 PM
From: Davide Poletto
Subject: ACL to allow ssh from specific subnet
Perfect, it's a matter to configure ACL on that HP FlexFabric which owns the SVIs (Aruba Switches are not in the picture).
------------------------------
Davide Poletto
Original Message:
Sent: Dec 19, 2020 05:11 PM
From: Sajid Mumtaz
Subject: ACL to allow ssh from specific subnet
Hi!
So we have two tier network with Core and Distribution. Distribution is also acting as Access layer.
On Core ee have HP FlexFabric with SVI.
vlan 10
ip address 10.1.1.1/24
All Aruba switches on distribution have ip default-gateway command pointing to 10.1.1.1
Aruba switch:
Vlan 10
ip address 10.1.1.2/24
Ip default-gateway 10.1.1.1/24
------------------------------
Sajid Mumtaz
Original Message:
Sent: Dec 19, 2020 04:57 PM
From: Davide Poletto
Subject: ACL to allow ssh from specific subnet
"There is management VLAN on Switches. The switches are connected to Core router but management VLAN exist on Switch with IP address so I have to allow only specific subnet to do ssh on that switch."
The question is: what is the device that has the role of routing your VLAN dedicated to switch management? Is it the "Core router"? if so, exactly there ACLs should be applied to permit/deny traffic between that VLAN dedicated to switch management and all others VLANs (on downlinked switches the VLAN dedicated to switch management is just "transported" - let me use this term - and, as said, on those switches ACLs are unnecessary).
So before trying to understand what ACLs to apply (and how to apply them) it's really essential to understand where ACLs must be applied.
P.S.
With "management VLAN" are you meaning a VLAN Id SET AS THE Management (so that VLAN id is not routed) or just A VLAN id not set as Management and just used as the VLAN dedicated to switch management?
------------------------------
Davide Poletto
Original Message:
Sent: Dec 19, 2020 11:26 AM
From: Sajid Mumtaz
Subject: ACL to allow ssh from specific subnet
Hi!
I agree that ACL are not applied on Switches. I am just doing ssh thing. There is management VLAN on Switches. The switches are connected to Core router but management VLAN exist on Switch with IP address so I have to allow only specific subnet to do ssh on that switch.
I dont have Firewall for this purpose.
Thanks
------------------------------
Sajid Mumtaz
Original Message:
Sent: Dec 19, 2020 11:11 AM
From: Davide Poletto
Subject: ACL to allow ssh from specific subnet
Hi, first thing first...you should know that you just don't apply ACLs generically on "switches".
You must apply them exactly on the routing device (I guess it could be the Aruba 2930 in your scenario)...this way, with them, you can manage (segregate) the inter-VLANs routing.
Original Message:
Sent: 12/19/2020 11:06:00 AM
From: capricorn80
Subject: ACL to allow ssh from specific subnet
Hi!
We have Aruba 2540 and 2930. I have created ACL on the switches but I dont know where I can apply those as Aruba doesnt have line vty.
How can we secure Management traffic to allow ssh from IT subnet?
Thanks
------------------------------
Sajid Mumtaz
------------------------------