Wired Intelligent Edge

 View Only
  • 1.  SSH & HTTPS vrf

    Posted Feb 19, 2023 07:47 AM

    in the dist-sw all the GW for all the data subnets are there so when type in putty ssh the GW-IP for any subnet or in the browser https://GW-IP it will show the login page, my goal to cancel that from all the subnet and restrict that to only one subnet

    both https server and ssh server are configured like this,  

    ssh server vrf default
    ssh server vrf mgmt
    https-server vrf mgmt


    what shoul be done so that only the admin workstations ( only one subnet) and nothing else can access Dist-SW?



  • 2.  RE: SSH & HTTPS vrf

    Posted Feb 19, 2023 08:41 AM

    Hi,

    If your question is regarding AOS-CX device, check this guide - https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/AOS-CX_10-07_hardening.pdf , Page 10, "Control plane ACLs"

    Hope this helps!



    ------------------------------
    Ivan Bondar
    ------------------------------



  • 3.  RE: SSH & HTTPS vrf

    Posted Feb 20, 2023 02:31 AM

    Hi

    using ACLs is one option but over time this may be difficult to manage as it is decentralized. Depending on your network design, there is two more options. If you manage your switches using the OOBM interface, you can limit ssh/web access to the "vrf mgmt" and remove access to the switch from "vrf default" (--> "no ssh server vrf default"). Another option is that you have a segmented network with a firewall involved and a management network which is separate from the "data subnets". You may then place the IP interface if the management network on you switch in a separate VRF instance and enable ssh/web servers on that specific VRF only. That what I usually see in larger networks where you have a multi-VRF segmented network. 

    Regards, 

    Thomas