I was able to create the following ACL to restrict access to the management of the switch.
access-list ip AUTHORIZED-MANAGERS
10 comment IT DIRECTOR
10 permit any {IP ADDRESS} any
20 comment IT SYSTEMS ADMIN
20 permit any {IP ADDRESS} any
30 permit any {IP ADDRESS} any
40 permit any {IP ADDRESS} any
50 permit any {IP ADDRESS} any
60 permit any {IP ADDRESS} any
70 deny any any {MANAGEMENT IP ADDRESS OF THE SWITCH}
80 permit any any any
Original Message:
Sent: Apr 30, 2021 05:43 AM
From: Vincent Giles
Subject: ip authorized-managers on the CX
If you consider the implicit deny any any any at the end, this can be prevent traffic that you want to allow.
However, a conservative and safe approach is to be very specific on what to deny, and make sure there is a explicit permit any any any at the end.
Please note that in 10.7, AOS_CX provides now ACL capability for SNMP.
------------------------------
Vincent Giles
Original Message:
Sent: Apr 29, 2021 01:34 AM
From: Igor Aliyev
Subject: ip authorized-managers on the CX
This can be a dangerous solution as it will be applied to all control-plane traffic passing the VRF. We have an in-band management in default VRF and this affected our DHCP requests re-transmissions. Even TAC support warned us that you should apply control-plane ACL only if you now completely what type of traffic is passing the switch and how it does that.
------------------------------
Igor Aliyev
Original Message:
Sent: Oct 24, 2019 12:58 PM
From: Vincent Giles
Subject: ip authorized-managers on the CX
Yes, this is ACL applied to the control-plane:
Create your ACL using permit/deny (be specific so you can have a permit any any any at the end) and apply the ACL to the control-plane in the proper VRF.
Example:
apply access-list ip ACL-name control-plane vrf mgmt