Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Limit SNMP & SSH Access

This thread has been viewed 10 times

  • 1.  Limit SNMP & SSH Access

    Posted Sep 11, 2013 06:33 PM

    Is there a way to limit SNMP & SSH access via ACL or other method?  Ex: limit SNMP reads from NPM server or SSH access only from management subnet.



  • 2.  RE: Limit SNMP & SSH Access

    Posted Sep 11, 2013 08:48 PM

    Hey CompNerd... Sure you can do this via ACL Policy.  There are different ways to do this.


    Are you thinking of WLAN users trying to access things they shouldn't ?  That's the user case I typically see / get asked to protect against.    


    Here is an example to block SSH and SNMP from Guest Network.  This methodology you can always employ(regardless of AOS version...aka. most versatile) is shown below.  

     

    You can restrict access to any user role based upon creating a 'net-destination' and loading in the 'sensitive' interfaces that you don't want users(of any particular flavor) to access.


    JF

     

    Example to limit GUEST users from using SSH and SNMP to interfaces 10.10.10.2, and 10.10.20.2

     

    !

    netdestination CONTROLLER-INTERFACES

      host 10.10.10.2

      host 10.10.20.2

    !

    ip access-list session CONTROLLER-INTERFACES

      user alias CONTROLLER-INTERFACES tcp 22 deny

      user alias CONTROLLER-INTERFACES udp 161 deny

    !

    user-role GUEST

      access-list session CONTROLLER-INTERFACES position 1

    !

     

    Alternatively, you can also block on the port by port basis as well, instead of roles... let me know if you want an example of that approach.


    JF



  • 3.  RE: Limit SNMP & SSH Access

    Posted Sep 11, 2013 10:27 PM

    JF,

     

    Thanks for the suggestion.  However, role based access wouldn't stop the majority of our users that are on non-Aruba switches from connecting to the MAS.  With role based access I could keep anyone directly connected to the switch from hitting SSH/SNMP, but it wouldn't work for upstream users.

     

    Strictly talking about blocking upstream users, I think my only option is to create an ACL and apply it to the uplink port(s) connecting the MAS to the core.  The MAS I'm deploying has only one SVI, for management purposes.  Earlier, I thought I could just add an ACL to the SVI to limit access, but it doesn't appear as though that's possible.

     

    So is adding an ACL to the uplinks the only way I can block remote IPs from connecting to SSH/SNMP?



  • 4.  RE: Limit SNMP & SSH Access

    EMPLOYEE
    Posted Sep 11, 2013 10:31 PM

    That is what we do. We put an ACL on the 2 port-channels to the distribution layer allowing access only from our management IP space.

     

    port-channel-acl1.PNG

     

    switchmgmtacls.PNG



  • 5.  RE: Limit SNMP & SSH Access

    Posted Sep 11, 2013 11:03 PM

    Thanks for the confirmation and example.  I will move forward with creating an ACL and applying it to our uplink port channel.



  • 6.  RE: Limit SNMP & SSH Access

    Posted Sep 11, 2013 11:09 PM

    Good stuff.

     

    PACL was going to be my next example... go to it ;-)

     

    Good luck.

     

    JF



  • 7.  RE: Limit SNMP & SSH Access
    Best Answer

    EMPLOYEE
    Posted Sep 11, 2013 10:31 PM

    Thecompnerd,

    We currently only support ACLs on user-roles and physical interfaces (PACLs). So yes, adding an ACL to the uplinks is currently the only way to block remote IPs from connecting to SSH/SNMP.

     

    Best regards,

     

    Madani