Wired Intelligent Edge (Campus Switching and Routing)

Reply
Frequent Contributor II

Re: ACLs on Mobility Access Switches (MAS)

Thanks very much for this - it's helped a lot.

 

Question - is there a way to close of web access on the WAN side (in my case VLAN 99 on port 18) but allow it via the internal management VLAN and ports?

 

It seems like:

!

web-server

   no mgmt-ui-ports

# Closes ports 80, 443 and 4343, effectively disabling the Web-UI

   no captive-portal-ports

# Closes ports 8080, 8081 and 8088 effectively disabling captive portal functionality

# If captive portal is needed, re-enable and add these ports to the 'BLOCK-EXTERNAL' ACL

!

would shut down all web-ui across the whole switch.

Aruba

Re: ACLs on Mobility Access Switches (MAS)

AOS 7.4 added support for session ACLs on L3 interfaces. Here is an example that should meet your needs. You could also modify the ACL to allow web-ui access from specific hosts.

 

!
interface vlan "1"
   description "INTERNET-RVI"
   ip nat outside
   ip address dhcp-client
   ip access-group session "PROTECT-WAN"
!

ip access-list session PROTECT-WAN
  any any svc-dhcp  permit
!

Frequent Contributor II

Re: ACLs on Mobility Access Switches (MAS)

"any any svc-dhcp  permit" stops HTTP/HTTPS traffic?

 

I have a hardcoded public IP on my WAN interfaces, so don't think I need to do anything with NAT or DHCP.

 

Based on the OP and response, I added this:

 

ip access-list stateless BLOCK-EXTERNAL
any any svc-ssh deny
any any svc-ftp deny
any any svc-ntp deny
any any any permit
!

interface-profile switching-profile "WANProfle"
access-vlan 99
native-vlan 99
!

interface vlan "99"
ip access-group in "BLOCK-EXTERNAL"
ip address xx.xx.xx.xx 255.255.255.252

!

 

and that has indeed blocked SSH. But my syslogs are showing httpd attempts from external addresses. Is there a svc-http, svc-https that could be added to the service deny list? Or would that block all web traffic through the switch? I certainly don't want that!

 

Thanks for your help!

Highlighted
Aruba

Re: ACLs on Mobility Access Switches (MAS)

So you want to be using a session ACL for the WAN facing side instead of a stateless ACL. The reason being that return traffic sourced from the LAN side will be allowed while traffic originated from the WAN side is dropped. Additionally there is an implicit deny at the end of any ACL. With the following:

 

any any svc-ssh deny
any any svc-ftp deny
any any svc-ntp deny
any any any permit

You are blocking specific inbound protocols but allowing everything else which may not be what you want. The original post was from pre-7.4 when we didn't have session ACL support on L3 interfaces so it made it somewhat complicated. For 7.4, you really want to use session ACLs. It makes life much easier.

 

And yes the only reason I had the DHCP ACL was because my MAS is connected behind a cable modem handing out DHCP.

 

Best regards,

 

Madani

 

Frequent Contributor II

Re: ACLs on Mobility Access Switches (MAS)

Thanks for the rapidity of reply, and sorry for my ignorance on this. I'm still unclear on what to code my WAN interface VLAN to deny web-ui connections, but allow web traffic to otherwise flow through the switch.

 

I'm on 7.4.0.2  I could turn off web-ui in general, but I'm pretty weak on the CLI end of things, so would rather not.

 

I am recording this sort of notice in syslog:

 4/29/2015 15:45 10.110.138.13 Error Apr 29 14:46:03 Aruba-S1500-Admin-WIFI.138:PRI-0 httpd: [cgid:error] [pid 9602:tid 98311] [client 203.157.45.75:52554] AH01264: script not found or unable to stat: /mswitch/apache/cgi-bin/php-cgi, referer:

 

Which I am assuming means some unwanted http traffic was presented to the switch.


Thanks again.

Aruba

Re: ACLs on Mobility Access Switches (MAS)

Ah okay, so you don't really want it to act like a firewall then. Got it. This ACL should work for you, just replace the IP address with your static IP.

 

!

ip access-list extended BLOCK-WEBUI-ALLOW-ALL
  deny tcp any host 1.1.1.1 eq 443
  deny tcp any host 1.1.1.1 eq 4343
  permit any any any
!

 

Then apply it to your L3 interface with "ip access-group in BLOCK-WEBUI-ALLOW-ALL". I'm using an extended ACL so that A) I'm doing hardware filtering and B) I'm being specific that it is traffic destined to the switch and not through the switch.

 

Hope we got it this time.

 

Best regards,

 

Madani

Frequent Contributor II

Re: ACLs on Mobility Access Switches (MAS)

Thanks madani. I put that in my config and applied the ip access-group in BLOCK-WEBUI-ALLOW-ALL to the interface gigabitethernet 0/0/18.

 

I am still able to web into the public address, although at the moment I am inside my network. I will try later from home.

 

Is a reboot necessary? And speaking of which, is there anyway to schedule a reboot? It would be awesome to tell the switch to reboot after hours

Aruba

Re: ACLs on Mobility Access Switches (MAS)

No, you need to apply it to the L3 interface (aka RVI), like "interface vlan 10", which ever is your public L3 interface. I just ran a quick test on a switch to make sure I didn't typo the original ACL so it should work. For good measure you can also block port 80 but we just use that as a redirect to 443 and 4343 so if the latter are blocked, you still should NOT get the UI.

 

Regarding the reload ability, it isn't supported today but I think there is an idea portal entry for it so I would submit a vote.

 

Best regards,

 

Madani

Frequent Contributor II

Re: ACLs on Mobility Access Switches (MAS)

Got it, and thanks again!

 

Now I am seeing a slew of [aaa] Authentication failed for user... messages, trying to connect to port 22 . I suppose I'm just seeing everybody testing the door?

Aruba

Re: ACLs on Mobility Access Switches (MAS)

Yup. You might want to lock that down too. :)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: