hi zito2000
to restrict ssh and snmp access to the management IP you will need to add the below, you need to give access to the engineer
access-list ip AUTHORIZED-MANAGERS
10 permit any {engineer VLan range IP ADDRESS} eq snmp
20 permit any {engineer VLan range IP ADDRESS} eq snmp-trap
30 permit any {engineer VLan range IP ADDRESS} eq ssh
40 permit any {Iengineer VLan range P ADDRESS} any eq https
50 permit any {engineer VLan range IP ADDRESS} any eq http
60 deny tcp any any eq ssh count
61 deny tcp any any eq https count
62 deny tcp any any eq http count
apply access-list ip AUTHORIZED-MANAGERS control-plane vrf default ( this line your applying access-list to the vrf default )
apply access-list ip AUTHORIZED-MANAGERS control-plane vrf mgmt ( this line your applying access-list to the vrt mgmt )
Original Message:
Sent: Feb 22, 2024 10:45 AM
From: Novus Insight
Subject: CX6000 - Restricting access to management IP of switch
Did you ever get a chance to test this theory?
Original Message:
Sent: Sep 26, 2023 04:36 PM
From: zito2000
Subject: CX6000 - Restricting access to management IP of switch
Hello everyone,
Have worked with Aruba CLI from 2500/2900/etc series switches and this new CLI is a new to me.
I am setting up these new CX switches for a few of our locations and was hoping someone could help with a couple of questions.
I have a firewall providing DHCP for vlans and is also the gateway using 10.70.3.1 for the management vlan which in this case is vlan3
My question are the following
- How do I restrict ssh and snmp access to the management IP of this switch from only certain IP address ?
- If I use a access-list like the one below would it accomplish this?
- Additionally if the below access list is used would it deny other data/voice traffic from other vlans passing through this switch?
Below in bold is some snips inside my switch config that applies to this discussion.
Thanks in advance for any help.
access-list ip AUTHORIZED-MANAGERS
10 permit any {IP ADDRESS} any
20 permit any {IP ADDRESS} any
30 permit any {IP ADDRESS} any
vlan 3
name Management
vlan 140
name Employee Data
vlan 923
name VOIP
voice
interface 1/1/1
no shutdown
description Firewall-Uplink
vlan trunk native 1
vlan trunk allowed 3,140
interface vlan 1
no ip dhcp
interface vlan 3
ip address 10.70.3.3/24
interface vlan 3
ip address 10.70.3.3/24
ip route 0.0.0.0/24 10.70.3.1