Aruba Central

 View Only
last person joined: 7 days ago 

Expand all | Collapse all

CX6000 - Restricting access to management IP of switch

This thread has been viewed 15 times
  • 1.  CX6000 - Restricting access to management IP of switch

    Posted Sep 27, 2023 01:30 AM

    Hello everyone,

    Have worked with Aruba CLI from 2500/2900/etc series switches and this new CLI is a new to me.

    I am setting up these new CX switches for a few of our locations and was hoping someone could help with a couple of questions.

    I have a firewall providing DHCP for vlans and is also the gateway using 10.70.3.1 for the management vlan which in this case is vlan3

    My question are the following

    1. How do I restrict ssh and snmp access to the management IP of this switch from only certain IP address ?
    2. If I use a access-list like the one below would it accomplish this?
    3. Additionally if the below access list is used would it deny other data/voice traffic from other vlans  passing through this switch? 

    Below in bold is some snips inside my switch config that applies to this discussion.

    Thanks in advance for any help.

    access-list ip AUTHORIZED-MANAGERS
    10 permit any {IP ADDRESS} any
    20 permit any {IP ADDRESS} any
    30 permit any {IP ADDRESS} any

    vlan 3
        name Management

    vlan 140
        name Employee Data


    vlan 923
        name VOIP
        voice

    interface 1/1/1
        no shutdown
        description Firewall-Uplink
        vlan trunk native 1
        vlan trunk allowed 3,140

    interface vlan 1
        no ip dhcp


    interface vlan 3
        ip address 10.70.3.3/24

    interface vlan 3
        ip address 10.70.3.3/24

    ip route 0.0.0.0/24 10.70.3.1



  • 2.  RE: CX6000 - Restricting access to management IP of switch

    Posted Feb 22, 2024 12:03 PM

    Did you ever get a chance to test this theory? 




  • 3.  RE: CX6000 - Restricting access to management IP of switch

    Posted Feb 23, 2024 02:45 AM

    hi zito2000

    to  restrict ssh and snmp access to the management IP you will need to add the below, you need to give access to the engineer 

    access-list ip AUTHORIZED-MANAGERS

    10 permit any {engineer VLan range IP ADDRESS} eq snmp
    20 permit any {engineer VLan range IP ADDRESS} eq snmp-trap
    30 permit any {engineer VLan range IP ADDRESS} eq ssh

    40 permit any {Iengineer VLan range  P ADDRESS} any eq https

    50 permit any {engineer VLan range IP ADDRESS}  any eq http

    60 deny tcp any any eq ssh count
    61 deny tcp any any eq https count

     62 deny tcp any any eq http count

    apply access-list ip AUTHORIZED-MANAGERS control-plane vrf default ( this line your applying access-list  to the vrf default ) 

    apply access-list ip AUTHORIZED-MANAGERS control-plane vrf mgmt ( this line your applying access-list  to the vrt mgmt  )