Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Restrict access to Network Team static IPs only

This thread has been viewed 50 times
  • 1.  Restrict access to Network Team static IPs only

    Posted Oct 24, 2022 09:30 AM
      |   view attached
    I am wanting to restrict access to our OS-CX line switches (Aruba 6300) to just our Network Support team's laptops, their assigned VMs and our Orion server for SNMP.   I created an ACL on the VRF for SSH and HTTPS for the 6 workstations plus our Orion server on one of our 6 closets as a test (that closet is on VLAN 111 instead of the VLAN 211).  When I go to test this I can access the switch stack from my laptop with a static IP of 211.23 and can access it from my VM with a static of 152.11 and I am unable to access it via WiFi (VLAN 22), however I go to another workstation on VLAN 211 and I can access it.  Does the ACL to the VRF only restrict by networks and not single IPs?  I wanted to test on this closet first as it has the least number of connections and I don't have another OS-CX switch in my lab to test with.  If I can verify this works, I will copy it to our Core switches too.


  • 2.  RE: Restrict access to Network Team static IPs only

    EMPLOYEE
    Posted Oct 24, 2022 10:00 AM
    Please check this post. One difference there is that the ACL is also applied to the mgmt VRF, other is that with this ACL you block all SSH and HTTPS traffic across the default VRF, because you do a deny to any in lines 40-70, not just to the switch IP.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Restrict access to Network Team static IPs only

    Posted Oct 24, 2022 11:20 AM
    Thank you for this.  I added the following with no new results:

    80 deny any any {IP of my switch}

    This is the ip of VLAN 1

    I can't access the switch while on wifi but I can from a different pc on the same network as my laptop (VLAN 211)


  • 4.  RE: Restrict access to Network Team static IPs only
    Best Answer

    Posted Oct 25, 2022 02:19 AM
    Hi, I think the issue is that you'are using /24 in your statements instead of /32 that is used for a single IP.

    Try changind the statement to /32 and let us know.

    I hope this helps


  • 5.  RE: Restrict access to Network Team static IPs only

    Posted Oct 25, 2022 10:23 AM
    I can try this, but our network is /24 not /32.  What is bugging me the most is the fact I can't access it from another VLAN but if I'm on the same 211 VLAN I can access it.


  • 6.  RE: Restrict access to Network Team static IPs only

    Posted Oct 26, 2022 10:55 AM
    Changing the netmask to /32 worked.   I am still green to networking and didn't fully understand why you suggested the /32 but I get it now.  The /32 only allows that one host instead of the entire network.  Thank you for the suggestion and input.


  • 7.  RE: Restrict access to Network Team static IPs only

    Posted Oct 26, 2022 04:00 PM
    One last follow-up question.  I copied this ACL to our 8325 core switches and it shows applied, however I can still access the switch from another computer on that VLAN, is there something different between the 8325 and the 6300 that this ACL works on?


  • 8.  RE: Restrict access to Network Team static IPs only

    Posted Oct 27, 2022 10:02 AM
    Hi, Can you show us the applied ACL in the 8325?




  • 9.  RE: Restrict access to Network Team static IPs only

    Posted Oct 31, 2022 09:10 AM
      |   view attached
    Here is the current Access-Lists on the 8325.  The Network_Team_Access is a copy / paste from the 6300s.

    Attachment(s)

    docx
    8325 Access-List.docx   13 KB 1 version


  • 10.  RE: Restrict access to Network Team static IPs only

    Posted Oct 31, 2022 11:55 AM
    Hi, I think it should work.

    Are you sure is applied to the control plane and in the correct VRF?





  • 11.  RE: Restrict access to Network Team static IPs only

    Posted Oct 31, 2022 02:07 PM
      |   view attached
    I'm running this command after the ACL - apply access-list ip Network_Team_Access control-plane vrf default

    Attached are the VRFs on this switch.

    Attachment(s)

    docx
    8325 VRF.docx   13 KB 1 version


  • 12.  RE: Restrict access to Network Team static IPs only

    Posted Oct 31, 2022 05:06 PM
    Hi.

    Do you see that line ("apply access-list...") when you do a "show run"?

    What version is your 8325?


  • 13.  RE: Restrict access to Network Team static IPs only

    Posted Nov 01, 2022 08:59 AM
    Yes, that line does appear in my running-config.

    ArubaOS-CX
    (c) Copyright 2017-2022 Hewlett Packard Enterprise Development LP
    -----------------------------------------------------------------------------
    Version : GL.10.09.1010
    Build Date : 2022-03-10 23:10:12 UTC
    Build ID : ArubaOS-CX:GL.10.09.1010:8514a9c2b904:202203102216
    Build SHA : 8514a9c2b90406b241fea9565f76d0da78a9577b
    Active Image : primary

    Service OS Version : GL.01.08.0002
    BIOS Version : GL-01-0013


  • 14.  RE: Restrict access to Network Team static IPs only

    Posted Nov 03, 2022 09:14 AM
    It's almost like the switch is ignoring the ACL completely because I can access the CLI or GUI from any subnet on our network.  I thought maybe it was ignoring the control-plane ACL because there was another Access-List, but my 6300 switches have a second Access-List on them too, but not the same name as the one on the 8325 and everything is working as I wanted on the 6300s.


  • 15.  RE: Restrict access to Network Team static IPs only

    Posted 22 days ago
    Hi, I think is time to give TAC a call.



  • 16.  RE: Restrict access to Network Team static IPs only

    Posted 20 days ago
    I called and uploaded my config to them. They noticed there was no default vrf in the running confog and suggested i apply the control-plane to the mgmt vrf and that worked. I should have updated this thread a few days ago when TAC responded. Thanks to all that helped me with this.