Wired Intelligent Edge

 View Only
last person joined: 23 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

ACL to protect switch from users

This thread has been viewed 9 times

  • 1.  ACL to protect switch from users

    Posted Dec 01, 2023 07:55 AM

    Is there a smart way to protect SVI from users. I mean block access to services bound to switch vlan interface. I have acls protecting the management interface/vrf but what with the production vrf, there is several vlans in it and an active-gateway. It is a lot of addresses.

    For now the port scan shows way too much:


    Nmap scan report for _gateway (10.80.5.1)
    Host is up (0.0033s latency).
    Not shown: 997 closed ports
    PORT     STATE    SERVICE
    22/tcp   open     ssh
    179/tcp  open     bgp
    3784/tcp filtered bfd-control

    My version  for now would be:


    access-list ip PROTECT_SWITCH
        10 deny tcp any <active_gateway IPs> eq ssh
        20 deny tcp any <active_gateway IPs> eq bgp
        <as above for each switch real IP> 

    But is there a smarter way like destination=<all switch ip in vrf>? 

    BTW: I need to leave ssh accessible in the production vrf from some networks.



    ------------------------------
    -- tommyd
    ------------------------------