Community Tribal Knowledge Base

How to Allow or Block Management of the Aruba Controller only from Specific Subnets

Guru Elite Guru Elite
Guru Elite

This Knowledgebase Article tells you how to allow management traffic to the controller ONLY from specific subnets.


For now there is no specific feature allowing you to define what subnets or ip addresses can manage the Aruba Controller.  The method below can help accomplish the same thing.


HINT:  Before doing this, please obtain a console cable for your Aruba Controller, in case you make a mistake and lock yourself out of the management interface over ip.




1.  Create an "alias" or netdestination that defines what subnets you want to allow management traffic from

2.  Write rules allowing TCP 4343 traffic and SSH traffic from those subnets to the controller's IP address

3.  Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.

4.  Add an Allow all traffic acl at the end of the rule

5.  Apply it to the controller's uplink interface


In the example below, we allow management traffic from to the controller's ip address at and drop if from everywhere else.  If you want to expand where you want management traffic allowed from, you can just edit the Alias/Netdestination "management-subnet" later.



config t

netdestination management-subnet



ip access-list session "Controller-Access"
alias "management-subnet"  host tcp 4343 4343 permit queue low
any host tcp 4343 4343 deny queue low
alias "management-subnet"  host "svc-ssh" permit queue low
any host "svc-ssh" deny queue low
any any any permit queue low
interface gigabitethernet 1/0
ip access-group "Controller-Access" session


You can type "show acl hits" to see how many times the rule "Controller-Access" is used.


If you get locked out of the controller's management interface, plug your console cable in and type:


config t

interface gigabitethernet 1/0
no ip access-group "Controller-Access" session


You can always see what traffic is being allowed or denied to the controller address by typing:


show datapath session table <ip address of controller>

Version history
Revision #:
1 of 1
Last update:
‎02-23-2012 03:43 AM
Updated by:
Labels (2)
Tags (2)

 If you try this on a vlan interface you get "Invalid Access List Usage"

What's the method for a vlan interface? Not always appropriate to do this for a physical interface

Search Airheads
Showing results for 
Search instead for 
Did you mean: